Logstash 中的 ESX 性能统计数据

Question

这是一个示例输入，您只需要 rsyslog 或日志记录工具将日志发送到输入端口（此示例中为 1514），然后过滤数据：

输入

input {
        tcp {
                type => "VMware"
                port => "1514"
        }
}

筛选

filter {
    if "VMware" in [tags] {
            multiline {
                    pattern => "-->"
                    what => "previous"
            }
            grok {
                    break_on_match => true
                    match => [
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
                    ]
            }
            syslog_pri { }
            date {
                    match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS" ]
                    timezone => "UTC"
            }
            mutate {
                    replace => [ "@source_host", "%{syslog_hostname}" ]
            }
            mutate {
                    replace => [ "@message", "%{syslog_message}" ]
            }
            if "Device naa" in [message] {
                    grok {
                            break_on_match => false
                            match => [
                                    "message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} of %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}",
                                    "message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} from %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}"
                            ]
                    }
            }
            if "connectivity issues" in [message] {
                    grok {
                            match => [
                                    "message", "Hostd: %{GREEDYDATA} : %{DATA:device_access} to volume %{DATA:device_id} %{DATA:datastore} (following|due to)"
                            ]
                    }
            }
            if "WARNING" in [message] {
                    grok {
                            match => [
                                    "message", "WARNING: %{GREEDYDATA:vmware_warning_msg}"
                            ]
                    }
            }
    }

}

Answer 1

这是一个示例输入，您只需要 rsyslog 或日志记录工具将日志发送到输入端口（此示例中为 1514），然后过滤数据：

输入

input {
        tcp {
                type => "VMware"
                port => "1514"
        }
}

筛选

filter {
    if "VMware" in [tags] {
            multiline {
                    pattern => "-->"
                    what => "previous"
            }
            grok {
                    break_on_match => true
                    match => [
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
                            "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
                    ]
            }
            syslog_pri { }
            date {
                    match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS" ]
                    timezone => "UTC"
            }
            mutate {
                    replace => [ "@source_host", "%{syslog_hostname}" ]
            }
            mutate {
                    replace => [ "@message", "%{syslog_message}" ]
            }
            if "Device naa" in [message] {
                    grok {
                            break_on_match => false
                            match => [
                                    "message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} of %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}",
                                    "message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} from %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}"
                            ]
                    }
            }
            if "connectivity issues" in [message] {
                    grok {
                            match => [
                                    "message", "Hostd: %{GREEDYDATA} : %{DATA:device_access} to volume %{DATA:device_id} %{DATA:datastore} (following|due to)"
                            ]
                    }
            }
            if "WARNING" in [message] {
                    grok {
                            match => [
                                    "message", "WARNING: %{GREEDYDATA:vmware_warning_msg}"
                            ]
                    }
            }
    }

}

Logstash 中的 ESX 性能统计数据

答案1

相关内容