Syslog是一種行業標準的協議,可用來記錄裝置的日誌。常見的應用情境是網路管理工具、安全管理系統、日誌審計系統。本文檔介紹如何使用SLS DSL中的GROK函數高效快捷地解析不同格式的Syslog日誌。
概況
在Unix類作業系統上,Syslog廣泛應用於系統日誌。Syslog日誌訊息既可以記錄在本地檔案中,也可以通過網路發送到接收Syslog的伺服器。伺服器可以對多個裝置的Syslog訊息進行統一的儲存,或者解析其中的內容做相應的處理。
問題
長期以來,沒有一個標準來規範Syslog的格式,導致Syslog的格式非常隨意。甚至有些情況下沒有任何格式,導致程式不能對Syslog訊息進行解析,只能將其看作是一個字串。所以如何解析不同格式的Syslog日誌就變得非常重要。
Syslog協議標準簡介
目前業界存在常見兩種Syslog日誌協議,一個是2009年的RFC5424協議,另外一個是2001年的RFC3164協議。以下介紹這兩種協議的不同之處,以便在後續實踐中能夠靈活應用GROK解析Syslog日誌。
RFC5424協議
RFC5424協議包含以下欄位資訊,具體資訊請參見官方協議。
PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID通過以下樣本來對以上欄位進行說明:
""" Example1: <34>1 2019-07-11T22:14:15.003Z aliyun.example.com ali - ID47 - BOM'su user' failed for lonvick on /dev/pts/8 """ PRI -- 34 VERSION -- 1 TIMESTAMP -- 2019-07-11T22:14:15.003Z HOSTNAME -- aliyun.example.com APP-NAME -- ali PROCID -- 無 MSGID -- ID47 MESSAGE -- 'su user' failed for lonvick on /dev/pts/8 """ Example2: <165>1 2019-07-11T22:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts. """ PRI -- 165 VERSION -- 1 TIMESTAMP -- 2019-07-11T05:14:15.000003-07:00 HOSTNAME -- 192.0.2.1 APP-NAME -- myproc PROCID -- 8710 STRUCTURED-DATA -- “-” MSGID -- “-” MESSAGE -- "%% It's time to make the do-nuts." """ Example3: - with STRUCTURED-DATA <165>1 2019-07-11T22:14:15.003Z aliyun.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"] BOMAn application event log entry... """ PRI -- 165 VERSION -- 1 TIMESTAMP -- 2019-07-11T22:14:15.003Z HOSTNAME -- aliyun.example.com APP-NAME -- evntslog PROCID -- "-" MSGID -- ID47 STRUCTURED-DATA -- [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] MESSAGE -- An application event log entry...RFC3164協議
RFC3164協議包含以下欄位資訊,具體資訊請參見官方協議。
PRI HEADER[TIME HOSTNAME] MSG通過以下樣本來對以上欄位進行說明:
""" <30>Oct 9 22:33:20 hlfedora auditd[1787]: The audit daemon is exiting. """ PRI -- 30 HEADER - TIME -- Oct 9 22:33:20 - HOSTNAME -- hlfedora MSG - TAG -- auditd[1787] - Content --The audit daemon is exiting.
使用GROK解析Syslog常見格式
使用GROK對幾種常用格式的Syslog進行解析。具體的GROK規則請參見GROK模式參考。
解析TraditionalFormat格式
原始日誌
receive_time: 1558663265 __topic__: content: May 5 10:20:57 iZbp1a65x3r1vhpe94fi2qZ systemd: Started System Logging Service.SLS DSL規則
e_regex('content', grok('%{SYSLOGBASE} %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: May 5 10:20:57 iZbp1a65x3r1vhpe94fi2qZ systemd: Started System Logging Service. timestamp: May 5 10:20:57 logsource: iZbp1a65x3r1vhpe94fi2qZ program: systemd message: Started System Logging Service.
解析FileFormat格式
原始日誌
receive_time: 1558663265 __topic__: content: 2019-05-06T09:26:07.874593+08:00 iZbp1a65x3r1vhpe94fi2qZ user: 834753SLS DSL規則
e_regex('content',grok('%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} %{SYSLOGPROG} %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: 2019-05-06T09:26:07.874593+08:00 iZbp1a65x3r1vhpe94fi2qZ user: 834753 timestamp: 2019-05-06T09:26:07.874593+08:00 hostname: iZbp1a65x3r1vhpe94fi2qZ program: user message: 834753
解析RSYSLOG_SyslogProtocol23Format格式
原始日誌
receive_time: 1558663265 __topic__: content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ user - - - twishSLS DSL規則
e_regex('content',grok('%{POSINT:priority}>%{NUMBER:version} %{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} %{PROG:program} - - - %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ user - - - twish priority: 13 version: 1 timestamp: 2019-05-06T11:50:16.015554+08:00 hostname: iZbp1a65x3r1vhpe94fi2qZ program: user message: twish
解析RSYSLOG_DebugFormat格式
日誌內容
receive_time: 1558663265 __topic__: content: 2019-05-06T14:29:37.558854+08:00 iZbp1a65x3r1vhpe94fi2qZ user: environmentSLS SL規則
e_regex('content',grok('%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} %{SYSLOGPROG} %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: 2019-05-06T14:29:37.558854+08:00 iZbp1a65x3r1vhpe94fi2qZ user: environment timestamp: 2019-05-06T14:29:37.558854+08:00 hostname: iZbp1a65x3r1vhpe94fi2qZ program: user message: environment
使用GROK解析Syslog非常見日誌格式
使用GROK解析不常見的兩種Syslog日誌格式,即fluent軟體採用的FluentRFC5424格式和FluentRFC3164格式。
FluentRFC5424格式
日誌內容
receive_time: 1558663265 __topic__: content: <16>1 2019-02-28T12:00:00.003Z 192.168.0.1 aliyun 11111 ID24224 [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211] Hi, from Fluentd!SLS DSL規則
e_regex('content',grok('%{POSINT:priority}>%{NUMBER:version} %{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} %{WORD:ident} %{USER:pid} %{USERNAME:msgid} (?P<extradata>(\[(.*)\]|[^ ])) %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: <16>1 2019-02-28T12:00:00.003Z 192.168.0.1 aliyun 11111 ID24224 [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211] Hi, from aliyun! priority: 16 version: 1 timestamp: 2019-02-28T12:00:00.003Z hostname: 192.168.0.1 ident: aliyun pid: 11111 msgid: ID24224 extradata: [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211] message: Hi, from aliyun!
FluentRFC3164格式
日誌內容
receive_time: 1558663265 __topic__: content: <6>Feb 28 12:00:00 192.168.0.1 aliyun[11111]: [error] Syslog testSLS DSL規則
e_regex('content', grok('%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{WORD:ident}(?P<pid>(\[[a-zA-Z0-9._-]+\]|[^:])): (?P<level>(\[(\w+)\]|[^ ])) %{GREEDYDATA:message}'))加工結果
receive_time: 1558663265 __topic__: content: <6>Feb 28 12:00:00 192.168.0.1 aliyun[11111]: [error] Syslog test priority: 6 timestamp: Feb 28 12:00:00 hostname: 192.168.0.1 ident: aliyun pid: [11111] level: [error] message: Syslog test
拓展解析priority
解析FluentRFC5424格式和FluentRFC3164格式的Syslog過後的日誌內容,還可以對priority進一步解析,並且匹配解析出來的facility和severity資訊,關於使用RFC5424協議更多內容請參見e_syslogrfc。樣本如下:
原始日誌
receive_time: 1558663265 __topic__: content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ user - - - twish priority: 13 version: 1 timestamp: 2019-05-06T11:50:16.015554+08:00 hostname: iZbp1a65x3r1vhpe94fi2qZ program: user message: twishSLS DSL規則
e_syslogrfc("priority","SYSLOGRFC5424")加工結果
receive_time: 1558663265 __topic__: content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ user - - - twish priority: 13 version: 1 timestamp: 2019-05-06T11:50:16.015554+08:00 hostname: iZbp1a65x3r1vhpe94fi2qZ program: user message: twish _facility_: 1 _severity_: 5 _severitylabel_: Notice: normal but significant condition _facilitylabel_: user-level messages