Logstash Grok解析器不工作

Question

我想解析錯誤日誌使用Logstash捕獲幾個字段，尤其是errormessage。但無法在Logstash中捕獲錯誤消息。下面是我寫的實際的錯誤信息和解析器

 12345 http://google.com 2017-04-17 09:02:43.065 ERROR 10479 --- [http-nio-8052-exec-2] com.utilities.TokenUtils  : Error 

org.xml.SAXParseException: An invalid XML character (Unicode: 0xe) was found in the value of attribute "ID" and element is "saml". 
    at org.apache.parsers.DOMParser.parse(Unknown Source) 
    at org.apache.jaxp.DocumentBuilderImpl.parse(Unknown Source) 
    at javax.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) 
    at com.utilities.TokenUtils.validateSignature(TokenUtils.java:99) 

分析器：

`%{NOTSPACE:stnum}\s*%{NOTSPACE:requestURL}\s*%{TIMESTAMP_ISO8601:log_timestamp}\s*%{LOGLEVEL:loglevel}\s*%{NUMBER:pid}\s*---\s*\[(?<thread>[A-Za-z0-9-]+)\]\s*%{DATA:class}\s*:\s%{NOTSPACE:level}\s*(?<errormessage>.[^\n]*).[^\n]*` 

我試圖捕捉從日誌此消息：

org.xml.SAXParseException: An invalid XML character (Unicode: 0xe) was found in the value of attribute "ID" and element is "saml". 

Answer 1

哪個logstash解析器你使用？請提供可以給我們提供更多信息的conf文件。以下是從日誌中解析異常類型的示例（使用grok篩選器）。

filter { 
grok { 
match => ["message", "%{DATA:errormessage} %{GREEDYDATA:EXTRA}"] 
} 
}