Dokumen ini menjelaskan cara mengurai data yang dipisahkan oleh karakter khusus dalam Syslog atau format teks lainnya.
Log Berformat CSV Standar
Log mentah:
_program_:error _severity_:6 _priority_:14 _facility_:1 topic:syslog-forwarder content:198.51.100.1|10/Jun/2019:11:32:16 +0800|aliyundoc.com|GET /zf/11874.html HTTP/1.1|200|0.077|6404|198.51.100.10:8001|200|0.060|https://example.com/s?q=%25%24%23%40%21&from=wy878378&uc_param_str=dnntnwvepffrgibijbprsvdsei|-|Mozilla/5.0 (Linux; Android 9; HWI-AL00 Build/HUAWEIHWI-A00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Mobile Safari/537.36|-|-Persyaratan:
Jika bidang
_program_diatur ke access, uraikan bidangcontentsebagai nilai yang dipisahkan oleh pipa (PSV). Kemudian, hapus bidangcontent.Pisahkan bidang
requestmenjadi bidangrequest_method,request, danhttp_version.http_refererdidekodekan dariURL.Format bidang
time.
Solusi:
Jika bidang
_program_diatur ke access, gunakan fungsie_psvuntuk mengurai bidangcontentdan kemudian hapus bidangcontentasli.e_if(e_search("_program_==access"), e_compose(e_psv("content", "remote_addr, time_local,host,request,status,request_time,body_bytes_sent,upstream_addr,upstream_status, upstream_response_time,http_referer,http_x_forwarded_for,http_user_agent,session_id,guid", restrict=True), e_drop_fields("content")))Log diperbarui sebagai berikut:
__source__: 192.168.0.1 __tag__:__client_ip__: 192.168.0.10 __tag__:__receive_time__: 1562845168 __topic__: _facility_: 1 _priority_: 14 _program_: access _severity_: 6 body_bytes_sent: 6404 guid: - host: aliyundoc.com http_referer: https://example.com/s?q=%25%24%23%40%21&from=wy878378&uc_param_str=dnntnwvepffrgibijbprsvdsei http_user_agent: Mozilla/5.0 (Linux; Android 9; HWI-AL00 Build/HUAWEIHWI-A00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Mobile Safari/537.36 http_x_forwarded_for: - remote_addr: 192.168.0.100 request: GET /zf/11874.html HTTP/1.1 request_time: 0.077 session_id: - status: 200 time_local: 10/Jun/2019:11:32:16 +0800 topic: syslog-forwarder upstream_addr: 192.168.0.100:8001 upstream_response_time: 0.060 upstream_status: 200Gunakan fungsi
e_regexuntuk mengurai bidangrequestmenjadi bidangrequest_method,request, danhttp_version.e_regex("request",r"^(?P<request_method>\w+) (?P<request>.+) (?P<http_version>\w+/[\d\.]+)$")Log diperbarui sebagai berikut:
request: /zf/11874.html request_method: GET http_version: HTTP/1.1Dekodekan bidang
http_refererdari URL.e_set("http",url_decoding("http_referer"))Log diperbarui sebagai berikut:
http: https://example.com/s?q=%$#@!&from=wy878378&uc_param_str=dnntnwvepffrgibijbprsvdseiFormat nilai waktu.
e_set("time_local",dt_strptime(v("time"),"%d/%b/%Y:%H:%M:%S +0800"))Log diperbarui sebagai berikut:
time_local: 2019-06-13 13:45:11Solusi lengkap adalah sebagai berikut:
e_if(e_search("_program_==access"), e_compose(e_psv("content", "remote_addr, time_local,host,request,status,request_time,body_bytes_sent,upstream_addr,upstream_status, upstream_response_time,http_referer,http_x_forwarded_for,http_user_agent,session_id,guid", restrict=True), e_drop_fields("content"))) e_regex("request",r"^(?P<request_method>\w+) (?P<request>.+) (?P<http_version>\w+/[\d\.]+)$") e_set("http",url_decoding("http_referer")) e_set("time_local",dt_strptime(v("time"),"%d/%b/%Y:%H:%M:%S +0800"))
Log hasil:
__source__: 192.168.0.1 __tag__:__client_ip__: 192.168.0.10 __tag__:__receive_time__: 1562840879 __topic__: _facility_: 1 _priority_: 14 _program_: access _severity_: 6 body_bytes_sent: 6404 guid: - host: aliyundoc.com http_referer: https://example.com/s?q=example+search+query&from=wy878378&uc_param_str=dnntnwvepffrgibijbprsvdsei http_user_agent: Mozilla/5.0 (Linux; Android 9; HWI-AL00 Build/HUAWEIHWI-A00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Mobile Safari/537.36 http_x_forwarded_for: - remote_addr: 192.168.0.100 request: GET /zf/11874.html HTTP/1.1 request_time: 0.077 session_id: - status: 200 time_local: 10/Jun/2019:11:32:16 +0800 topic: syslog-forwarder upstream_addr: 192.168.0.100:8001 upstream_response_time: 0.060 upstream_status: 200 http: https://example.com/s?q=example search query&from=wy878378&uc_param_str=dnntnwvepffrgibijbprsvdsei
Log Berformat CSV Tidak Normal
Log berikut berisi entri yang tidak normal.
Log mentah:
__source__: 192.168.0.1 __tag__:__client_ip__: 192.168.0.10 __tag__:__receive_time__: 1562840879 __topic__: content: 192.168.0.1|07/Aug/2019:11:10:37 +0800|www.learn.aliyundoc.com|GET /alyun/htsw/?ad=5|8|6|11| HTTP/1.1|200|6.729|14559|192.168.0.1:8001|200|6.716|-|-|Mozilla/5.0 (Linux; Android 4.1.1; Nexus 7 Build/JRO03D))||Persyaratan:
Uraikan bidang
content.Solusi:
Fungsi
e_csvtidak dapat mengurai dengan benar bagianGET /alyun/htsw/?ad=5|8|6|11| HTTP/1.1dari bidangcontent. Untuk menyelesaikan masalah ini, ekstrak terlebih dahulu bagian ini dan gantikan dengan nilai kosong di bidangcontent.e_if(e_search("not remote_addr: *"), e_compose(e_regex("content", r"[^\|]+\|[^\|]+\|[^\|]+\|(?P<request>(.+)HTTP/\d.\d)"), e_set("content", regex_replace(v("content"), r"([^\|]+\|[^\|]+\|[^\|]+)\|((.+)HTTP/\d.\d)\|(.+)",replace= r"\1||\4")), e_psv("content", "remote_addr,time_local,host,request,status,request_time,body_bytes_sent,upstream_addr,upstream_status, upstream_response_time,http_referer,http_x_forwarded_for,http_user_agent,session_id,guid", restrict=True))) e_drop_fields("content")Log hasil:
__source__: 192.168.0.1 __tag__:__client_ip__: 192.168.0.10 __tag__:__receive_time__: 1562840879 __topic__: body_bytes_sent: 14559 host: www.learn.aliyundoc.com http_referer: - http_user_agent: Mozilla/5.0 (Linux; Android 4.1.1; Nexus 7 Build/JRO03D)) http_x_forwarded_for: - remote_addr: 192.168.0.1 request: GET /alyun/htsw/?ad=5|8|6|11| HTTP/1.1 request_time: 6.729 status: 200 time_local: 07/Aug/2019:11:10:37 +0800 upstream_addr: 192.168.0.1:8001 upstream_response_time: 6.716 upstream_status: 200