Hi @magnusbaeck
I can parse this log.
The site which you talked is very helpful for me.
Thanks a lot.
I share config file for percona audit log.
input { stdin { } }
output { stdout { codec => "rubydebug" } }
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:sys_timestamp}%{SPACE}%{HOSTNAME:host_name}%{SPACE} percona-audit: %{GREEDYDATA:json_data}"}
}
json {
source => "json_data"
}
}
Result of parsing
echo 'Nov 25 23:25:18 hostA percona-audit: {"audit_record":{"name":"Query","record":"35_1970-01-01T00:00:00","timestamp":"2015-11-26T07:25:18 UTC","command_class":"select","connection_id":"3","status":0,"sqltext":"select version()","user":"root[root] @ localhost []","host":"localhost","os_user":"","ip":""}}' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
"message" => "Nov 25 23:25:18 hostA percona-audit: {"audit_record":{"name":"Query","record":"35_1970-01-01T00:00:00","timestamp":"2015-11-26T07:25:18 UTC","command_class":"select","connection_id":"3","status":0,"sqltext":"select version()","user":"root[root] @ localhost []","host":"localhost","os_user":"","ip":""}}",
"@version" => "1",
"@timestamp" => "2015-11-27T04:04:16.994Z",
"host" => "hostB",
"sys_timestamp" => "Nov 25 23:25:18",
"host_name" => "hostA",
"json_data" => "{"audit_record":{"name":"Query","record":"35_1970-01-01T00:00:00","timestamp":"2015-11-26T07:25:18 UTC","command_class":"select","connection_id":"3","status":0,"sqltext":"select version()","user":"root[root] @ localhost []","host":"localhost","os_user":"","ip":""}}",
"audit_record" => {
"name" => "Query",
"record" => "35_1970-01-01T00:00:00",
"timestamp" => "2015-11-26T07:25:18 UTC",
"command_class" => "select",
"connection_id" => "3",
"status" => 0,
"sqltext" => "select version()",
"user" => "root[root] @ localhost []",
"host" => "localhost",
"os_user" => "",
"ip" => ""
}
}
Logstash shutdown completed