1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<code>USERNAME [a-zA-Z0-9_-]+</code>
<code>USER %{USERNAME}</code>
<code>INT (?:[+-]?(?:[0-9]+))</code>
<code>BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))</code>
<code>NUMBER (?:%{BASE10NUM})</code>
<code>BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))</code>
<code>BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b</code>
<code> </code>
<code>POSINT \b(?:[1-9][0-9]*)\b</code>
<code>NONNEGINT \b(?:[0-9]+)\b</code>
<code>WORD \b\w+\b</code>
<code>NOTSPACE \S+</code>
<code>SPACE \s*</code>
<code>DATA .*?</code>
<code>GREEDYDATA .*</code>
<code>QUOTEDSTRING (?>(?<!\\)(?></code><code>"(?>\\.|[^\\"</code><code>]+)+</code><code>"|"</code><code>"|(?></code><code>'(?>\\.|[^\\'</code><code>]+)+</code><code>')|'</code><code>'|(?>`(?>\\.|[^\\`]+)+`)|``))</code>
<code>UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}</code>
<code># Networking</code>
<code>mac (?:%{CISCOmac}|%{WINDOWSmac}|%{COMMONmac})</code>
<code>CISCOmac (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})</code>
<code>WINDOWSmac (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})</code>
<code>COMMONmac (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})</code>
<code>IP (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])</code>
<code>HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)</code>
<code>HOST %{HOSTNAME}</code>
<code>IPORHOST (?:%{HOSTNAME}|%{IP})</code>
<code>HOSTPORT (?:%{IPORHOST=~/\./}:%{POSINT})</code>
<code># paths</code>
<code>PATH (?:%{UNIXPATH}|%{WINPATH})</code>
<code>UNIXPATH (?>/(?>[\w_%!$@:.,-]+|\\.)*)+</code>
<code>#UNIXPATH (?<![\w\/])(?:/[^\/\s?*]*)+</code>
<code>LINUXTTY (?></code><code>/dev/pts/</code><code>%{NONNEGINT})</code>
<code>BSDTTY (?></code><code>/dev/tty</code><code>[pq][a-z0-9])</code>
<code>TTY (?:%{BSDTTY}|%{LINUXTTY})</code>
<code>WINPATH (?>[A-Za-z]+:|\\)(?:\\[^\\?*]*)+</code>
<code>URIPROTO [A-Za-z]+(\+[A-Za-z+]+)?</code>
<code>URIHOST %{IPORHOST}(?::%{POSINT:port})?</code>
<code>URIPATH (?:/[A-Za-z0-9$.+!*'(){},~:;=</code><code>#%_\-]*)+</code>
<code>#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)?</code>
<code>URIPARAM \?[A-Za-z0-9$.+!*'|(){},~</code><code>#%&/=:;_?\-\[\]]*</code>
<code>URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?</code>
<code>URI %{URIPROTO}:</code><code>//</code><code>(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?</code>
<code># Months: January, Feb, 3, 03, 12, December</code>
<code>MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b</code>
<code>MONTHNUM (?:0?[1-9]|1[0-2])</code>
<code>MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])</code>
<code># Days: Monday, Tue, Thu, etc...</code>
<code>DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)</code>
<code># Years?</code>
<code>YEAR (?>\d\d){1,2}</code>
<code>HOUR (?:2[0123]|[01][0-9])</code>
<code>MINUTE (?:[0-5][0-9])</code>
<code># '60' is a leap second in most time standards and thus is valid.</code>
<code>SECOND (?:(?:[0-5][0-9]|60)(?:[:.,][0-9]+)?)</code>
<code>TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])</code>
<code># datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it)</code>
<code>DATE_US %{MONTHNUM}[</code><code>/-</code><code>]%{MONTHDAY}[</code><code>/-</code><code>]%{YEAR}</code>
<code>DATE_EU %{YEAR}[.</code><code>/-</code><code>]%{MONTHNUM}[.</code><code>/-</code><code>]%{MONTHDAY}</code>
<code>ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))</code>
<code>ISO8601_SECOND (?:%{SECOND}|60)</code>
<code>TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?</code>
<code>DATE %{DATE_US}|%{DATE_EU}</code>
<code>DATESTAMP %{DATE}[- ]%{TIME}</code>
<code>TZ (?:[PMCE][SD]T)</code>
<code>DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}</code>
<code>DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}</code>
<code># Syslog Dates: Month Day HH:MM:SS</code>
<code>SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}</code>
<code>PROG (?:[\w._/%-]+)SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?</code>
<code>SYSLOGHOST %{IPORHOST}</code>
<code>SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}></code>
<code>HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}</code>
<code># Shortcuts</code>
<code>QS %{QUOTEDSTRING}</code>
<code># Log formats</code>
<code>SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:</code>
<code>COMBINEDAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] </code><code>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|-)"</code> <code>%{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}</code>
<code># Log Levels</code>
<code>LOGLEVEL ([T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)</code>
logstash還有很多pattern,請參考
https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
本文轉自 曾哥最愛 51CTO部落格,原文連結:http://blog.51cto.com/zengestudy/1782593,如需轉載請自行聯系原作者
![Flume日志采集系統——初體驗(Logstash對比版)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)