disney82231
Reputation: 199
How can I set logstash conf when different logs input from the same thirty-party equipment
The thirty-party equipment has different logs when a user use differnet commands . EX: log A
Jun 2 16:45:49 host-A; rule='a', type='a', pattern='a', actions_taken='a', event_data='a'
log b
Jun 2 16:52:19 host-A; event='bbb', user='sss', com='111'
They don't have the same field when users use differnet commands .
The gork can't only uses one pattern to parse log.
How can I set grok to solve this problem?
Upvotes: 0
Views: 26
Answers (1)
Badger
Reputation: 4072
Use grok to parse everything up to the semi-colon, then use a kv filter to parse the rest.
Upvotes: 1
Related Questions
- Logstash: 1 input & multiple output files
- supporting different kind of logs with Logstash
- Running Multiple Logstash Configuration in One Logstash Instance
- Logstash configtest
- How to write custom grok for logstash
- Logstash custom log parsing
- How to make the logstash 2.3.2 configuration file more flexible
- Handling different log formats in the same file
- Logstash - grok configuration filter
- How to make Logstash consume its own logs