Hi,
Some context:
AWS
Log Group: MyLogGroupForEC2s
Log Streams:
myhost1-System #EventViewer
myhost1-Application #EventViewer
myhost1-CloudWatchAgent #CustomLogTxt
and many more for the fictious "myhost1" and A LOT of different hosts.
CloudWatchAgent sends the entire raw EventViewer-event as XML into the "message"-field, OK so lets try and define a "processor" to dissect the message field but here is also my problem;
The EventViewer Application-log has the following field for EventID;
<EventID Qualifiers='.'>(.*?)<\/EventID>
While all other EventViewer-logs have the following field for EventID;
<EventID>(.*?)<\/EventID>
and as stated somewhere in the documentation regarding this, if a field is not found then no processing will occur so we need to differentiate between;
The EventViewer Application-log (w. "Qualifiers")
All other EventViewer-logs (w.o "Qualifiers")
and the custom txt-logs.
I seem to be missing a third option (i.e. "if-else") to do this if I am grasping this correctly;
- if:
equal:
- regexp:
log_stream: "*-Application"
then:
- dissect:
tokenizer: "<Computer>(.*?)<\/Computer>"
field: "message"
target_prefix: "Computer"
- dissect:
tokenizer: "<Message>(.*?)<\/Message>"
field: "message"
target_prefix: "EventID Message"
- dissect:
tokenizer: "<Channel>(.+?)<\/Channel>"
field: "message"
target_prefix: "Channel"
- dissect:
tokenizer: "<Level>(.+?)<\/Level>"
field: "message"
target_prefix: "Level"
- dissect:
tokenizer: "<EventID Qualifiers='.'>(.*?)<\/EventID>"
field: "message"
target_prefix: "EventID"
The above section would catch all log-streams that end with "-Application" but then I need to take into account all other EventViewer-logs (that are without "Qualifiers") and another section to parse / dissect the custom .txt-logs such as the CloudWatchAgent-logs.
It's easier for me to handle the exceptions from the "norm" of "EventID" rather then specify all the logs that should be parsed confirming to "EventID".
Might I be better off using Logstash instead of trying to define this process in Functionbeat?
Thank you in advance for any suggestions / help - TheSwede86
Update: Oh and I know the regex I wrote don't work since it uses reserved characters, need to figure that out but thats another issue.