问题描述
我有一些问题,如何设置telegraf.conf文件以从“ zimbra.conf”文件收集日志? 现在,我尝试使用此配置文本,但它不起作用:((( 我想将此日志发送到grafana
“ zimbra.conf”行之一例如:
10月1日10:20:46 Webmail后缀/smtp[7677]:BD5BAE9999:to=user@mail.com,relay=mo94.cloud.mail.com[92.97.907.14]:25,延迟= 0.73,延迟= 0.09 / 0.01 / 0.58 / 0.19,dsn = 2.0.0,status =已发送(250 2.0.0 Ok:排队为4C25fk2pjFz32N5)
我不完全了解“ grok_patterns =”
[[inputs.tail]]
files = ["/var/log/zimbra.log"]
from_beginning = false
grok_patterns = ['%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}']
name_override = "zimbra_access_log"
grok_custom_pattern_files = []
grok_custom_patterns = '''
TS_UNIX %{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}
TS_CUSTOM %{MONTH}%{SPACE}%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}
'''
grok_timezone = "Local"
data_format = "grok"
解决方法
我已将您的示例行复制到名为Prueba.txt的日志文件中,其中包含以下行:
Oct 3 00:52:32 webmail postfix/smtp[7677]: BD5BAE9999: to=user@mail.com,relay=mo94.cloud.mail.com[92.97.907.14]:25,delay=0.73,delays=0.09/0.01/0.58/0.19,dsn=2.0.0,status=sent (250 2.0$
Oct 13 06:25:01 webmail systemd-logind[949]: New session 229478 of user zimbra.
Oct 13 06:25:02 webmail zmconfigd[27437]: Shutting down. Received signal 15
Oct 13 06:25:02 webmail systemd-logind[949]: Removed session c296.
Oct 13 06:25:03 webmail sshd[28005]: Failed password for invalid user julianne from 120.131.2.210 port 10570 ssh2
我已经能够使用tail.input插件的这种配置来解析数据:
[[inputs.tail]]
files = ["Prueba.txt"]
from_beginning = true
data_format = "grok"
grok_patterns = ['%{TIMESTAMP_ZIMBRA} %{GREEDYDATA:source} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}']
grok_custom_patterns = '''
TIMESTAMP_ZIMBRA (\w{3} \d{1,2} \d{2}:\d{2}:\d{2})
'''
name_override = "log_frames"
您需要将输入字符串与正则表达式匹配。为此,您可以使用一些预定义的模式(例如GREEDYDATA = .*)来匹配您的输入(另一个示例是NUMBER = (?:%{BASE10NUM}) BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+)))。您还可以在grok_custom_patterns中定义自己的模式。通过一些模式来查看此网站:https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Apx-GrokPatterns/GrokPatterns_title.html
在这种情况下,我定义了TIMESTAMP_ZIMBRA模式,以匹配10月3日00:52:32和10月03 00:52:33的输入。
这是普罗米修斯收集的指标:
# HELP log_frames_delay Telegraf collected metric
# TYPE log_frames_delay untyped
log_frames_delay{delays="0.09/0.01/0.58/0.19",dsn="2.0.0",host="localhost.localdomain",message="BD5BAE9999:",path="Prueba.txt",program="postfix/smtp",relay="mo94.cloud.mail.com[92.97.907.14]:25",source="webmail",status="sent (250 2.0.0 Ok: queued as 4C25fk2pjFz32N5)",to="user@mail.com"} 0.73
博士:确保Telegraf可以访问日志文件。