Hey everyone ! I finally decided to monitor my applications more closely with Grafana. However I’m having issues building dashboards their logs.

Their logs are currently sent over syslog (in RFC3164 format) into telegraf. But it simply puts the whole message into the message field, so I can’t use specific fields (eg. URL for httpd, source IP for DNS requests, username for SSH, …) to build graphs.

I’ve read about grok patterns, but I have no idea how to use them.

Would someone have any pointer on how I could make sense out of these logs for later use ?

  • z3bra@lemmy.sdf.orgOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I found how to parse and tokenize logs withing telegraf. One must use grok patterns to parse the logs. Here is the config sample I use:

    # bind locally to ingest syslog messages
    [[inputs.syslog]]
       server = "udp://<ipaddress>:6514"
       syslog_standard = "RFC3164"
    
    [[processors.parser]]
      parse_fields = ["message"]
      merge = "override"
      data_format = "grok"
      grok_patterns = ["%{HTTPD}", "%{GEMINI}"] # this must reference the name from grok_custom_patterns
      # format; PATTERN_NAME GROK_PATTERN…
      grok_custom_patterns = '''
    HTTPD ^%{HOSTNAME:httphost} %{COMBINED_LOG_FORMAT} (?:%{IPORHOST:proxyip}|-) (?:%{NUMBER:proxyprot}|-)$
    GEMINI ^(?:\"(?:gemini\:\/\/%{HOSTNAME:gmihost}(:%{NUMBER:gmiport})?%{NOTSPACE:request}|%{DATA:raw_request})\" %{NUMBER:response} %{NUMBER:bytes}|%{DATA})$
      '''
    
    # send parsed logs to influxdb
    [[outputs.influxdb]]
      urls = ["http://localhost:8086"]
      database = "telegraf"
    

    Telegraf supports logstash core patterns, as well as its own custom patterns (like %{COMBINED_LOG_FORMAT}).

    You can then query your influxdb using the fields extracted from these patterns:

    > USE telegraf
    > SELECT xff,httphost,request FROM syslog WHERE appname = 'httpd' AND verb = 'GET' ORDER BY time DESC