собран простейший фильтр
filter {
if [type] == "rsyslog"{
grok {
add_tag => "TEST"
}
}
}
Logstash в режиме debug выдает следующее
[2018-10-21T23:12:58,284][DEBUG][logstash.pipeline ] output received {"event"=>{"tags"=>["<b>_grokparsefailure</b>"], "facility"=>"user", "sysloghost"=>"gateway", "type"=>"rsyslog", "procid"=>"-", "severity"=>"notice", "@timestamp"=>2018-10-21T20:12:58.178Z, "programname"=>"dns,packet", "host"=>"127.0.0.1", "message"=>" question: ftp.local:A:IN", "@version"=>"1"}}
правильно я понимаю что с тегом "_grokparsefailure" grok не обрабатывает?
PS: сами логи в кластер уходят.
{
"_index": "logstash-2018.10.21",
"_type": "doc",
"_id": "TOtFmGYBF3439qZqD331",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"_grokparsefailure"
],
"facility": "daemon",
"sysloghost": "shtirliz",
"type": "rsyslog",
"procid": "-",
"severity": "notice",
"@timestamp": "2018-10-21T20:15:54.565Z",
"programname": "systemd",
"host": "127.0.0.1",
"message": "Unit auditbeat.service entered failed state.",
"@version": "1"
},
"fields": {
"@timestamp": [
"2018-10-21T20:15:54.565Z"
]
},
"highlight": {
"tags": [
"_grokparsefailure"
]
},
"sort": [
1540152954565
]
}