graylog新建extractor grok
Message:
May 6 14:32:50 localhost.localdomain haproxy[4198]: 192.168.15.11 7706 10.10.20.16 443 123.103.90.196 443 GET /ews/exchange.asmx 401 ee 1 0 0 0 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384
Extractor configuration grok pattern:
(?<date_time>(%{MONTH}\s*%{MONTHDAY}\s*%{TIME}))\s*(?<hostname>(\S+))\s*(?<process>(haproxy\[\d+\]:))\s*%{IPV4:c_ip}\s*%{BASE10NUM:c_port}\s*%{IPV4:fe_ip}\s*%{BASE10NUM:fe_port}\s*%{IPV4:be_ip}\s*%{BASE10NUM:be_port}\s*%{WORD:cs_method}\s*%{URIPATHPARAM:cs_uri}\s*%{BASE10NUM:cs_status}\s*(?<uname>([.\S+]*))\s*%{BASE10NUM:fc}\s*%{BASE10NUM:bc}\s*%{BASE10NUM:bq}\s*%{BASE10NUM:sc}\s*