Fixed Grok Pattern - Migragted back to Grok
I switched from tail.csv to tail.grok because of a timestamp issue https://github.com/influxdata/telegraf/issues/8948 I also went on a journey of digging through the grok pattern and error logs to eliminate as many parse errors as possible.
This commit is contained in:
VictorRobellini
GitHub
parent
87056f0d40
commit
3c7cea1a55
@ -7,24 +7,20 @@
|
||||
data_format = "influx"
|
||||
|
||||
[[inputs.tail]]
|
||||
files = ["/var/log/pfblockerng/ip_block.log"]
|
||||
name_suffix = "_ipblock"
|
||||
data_format = "csv"
|
||||
csv_delimiter = ","
|
||||
files = ["/var/log/pfblockerng/dnsbl.log"]
|
||||
data_format = "grok"
|
||||
from_beginning = false
|
||||
csv_tag_columns = ["geoip_code","feed_name","src_ip"]
|
||||
csv_column_names = ["timestamp","rulenum","interface","friendlyname","action","ip_version","protocolid","protocol","src_ip","dest_ip","src_port","dest_port","direction","geoip_code","ip_alias_name","ip_evaluated","feed_name","resolvedhostname","clienthostname","duplicateeventstatus"]
|
||||
csv_column_types = ["string","int","string","string","string","int","int","string","string","string","string","int","string","string","string","string","string","string","string","string"]
|
||||
name_suffix = "_dnsbl_log"
|
||||
grok_timezone = "Local"
|
||||
grok_patterns = ["^%{WORD:blocktype}-%{WORD:blocksubtype},%{SYSLOGTIMESTAMP:timestamp:ts-syslog},%{IPORHOST:domain},%{IPORHOST:src_ip:tag},%{GREEDYDATA:req_agent},%{WORD:blockmethod},%{WORD:blocklist},%{IPORHOST:tld:tag},%{WORD:feed_name:tag},%{GREEDYDATA:duplicateeventstatus}"]
|
||||
|
||||
[[inputs.tail]]
|
||||
files = ["/var/log/pfblockerng/dnsbl.log"]
|
||||
name_suffix = "_dnsbl"
|
||||
data_format = "csv"
|
||||
csv_delimiter = ","
|
||||
files = ["/var/log/pfblockerng/ip_block.log"]
|
||||
data_format = "grok"
|
||||
from_beginning = false
|
||||
csv_tag_columns = ["src_ip","tld"]
|
||||
csv_column_names = ["blocktype","timestamp","domain","src_ip","req_agent","blockmethod","blocklist","tld","feed_name","duplicateeventstatus"]
|
||||
csv_column_types=["string","string","string","string","string","string","string","string","string","string"]
|
||||
name_suffix = "_ip_block_log"
|
||||
grok_timezone = "Local"
|
||||
grok_patterns = ["^%{SYSLOGTIMESTAMP:timestamp:ts-syslog},%{NUMBER:rulenum},%{DATA:interface},%{WORD:friendlyname},%{WORD:action},%{NUMBER:ip_version},%{NUMBER:protocolid},%{DATA:protocol},%{IPORHOST:src_ip:tag},%{IPORHOST:dest_ip:tag},%{WORD:src_port},%{NUMBER:dest_port},%{WORD:direction},%{WORD:geoip_code:tag},%{DATA:ip_alias_name},%{DATA:ip_evaluated},%{DATA:feed_name:tag},%{HOSTNAME:resolvedhostname},%{GREEDYDATA:clienthostname},%{GREEDYDATA:ASN},%{GREEDYDATA:duplicateeventstatus}"]
|
||||
|
||||
#[[inputs.unbound]]
|
||||
# server = "127.0.0.1:953"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user