logging - NXLOG日志传送中缺少消息

标签 logging elasticsearch logstash kibana nxlog

我在ERRORLOG文件中有以下SQL日志,

2014-12-19 14:27:21.76 spid52      Starting up database 'MyDatabase'.
2014-12-19 14:27:22.06 spid52      Setting database option COMPATIBILITY_LEVEL to 110 for database 'MyDatabase'.
2014-12-19 14:27:22.06 spid52      Setting database option ANSI_NULL_DEFAULT to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.06 spid52      Setting database option ANSI_NULLS to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option ANSI_PADDING to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option ANSI_WARNINGS to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option ARITHABORT to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option AUTO_CLOSE to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option AUTO_CREATE_STATISTICS to ON for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option AUTO_SHRINK to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option AUTO_UPDATE_STATISTICS to ON for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option CURSOR_CLOSE_ON_COMMIT to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option CURSOR_DEFAULT to GLOBAL for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option CONCAT_NULL_YIELDS_NULL to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option NUMERIC_ROUNDABORT to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.09 spid52      Setting database option QUOTED_IDENTIFIER to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option RECURSIVE_TRIGGERS to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option DISABLE_BROKER to ON for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option AUTO_UPDATE_STATISTICS_ASYNC to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option DATE_CORRELATION_OPTIMIZATION to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option PARAMETERIZATION to SIMPLE for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option READ_COMMITTED_SNAPSHOT to OFF for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option READ_WRITE to ON for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option RECOVERY to FULL for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option MULTI_USER to ON for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option PAGE_VERIFY to CHECKSUM for database 'MyDatabase'.
2014-12-19 14:27:22.10 spid52      Setting database option target_recovery_time to 0 for database 'MyDatabase'.

我已在nxlog中使用以下代码将日志发送到Logstash。
<Input sql-ERlogs>
    Module      im_file
    File 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQL\MSSQL\Log\ER*'
    ReadFromLast TRUE
    Exec        to_json();
</Input>

我仅在kibana中收到以下消息。
{"message":"{\"EventReceivedTime\":\"2014-12-19 14:52:50\",\"SourceModuleName\":\"sql-ERlogs\",\"SourceModuleType\":\"im_file\"}\r","@version":"1","@timestamp":"2014-12-19T09:21:11.709Z","host":"192.168.1.9:1426","type":"sqllogs"}

在这里,我只有时间从此日志中抽出时间。我的日志传送方式有什么问题吗?

更新
更新@ b0ti答案后,我得到以下输出
{"EventReceivedTime":"2014-12-19 15:50:36","SourceModuleName":"sql-ERlogs","SourceModuleType":"im_file","Message":"2\u00000\u00001\u00004\u0000-\u00001\u00002\u0000-\u00001\u00009\u0000 \u00001\u00005\u0000:\u00005\u00000\u0000:\u00003\u00006\u0000.\u00003\u00000\u0000 \u0000s\u0000p\u0000i\u0000d\u00005\u00002\u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000S\u0000e\u0000t\u0000t\u0000i\u0000n\u0000g\u0000 \u0000d\u0000a\u0000t\u0000a\u0000b\u0000a\u0000s\u0000e\u0000 \u0000o\u0000p\u0000t\u0000i\u0000o\u0000n\u0000 \u0000R\u0000E\u0000C\u0000O\u0000V\u0000E\u0000R\u0000Y\u0000 \u0000t\u0000o\u0000 \u0000F\u0000U\u0000L\u0000L\u0000 \u0000f\u0000o\u0000r\u0000 \u0000d\u0000a\u0000t\u0000a\u0000b\u0000a\u0000s\u0000e\u0000 \u0000'\u0000S\u0000a\u0000m\u0000p\u0000l\u0000e\u0000'\u0000.\u0000"}

为什么消息以Unicode字符的形式出现,如何将其更改为消息?

最佳答案

im_file将数据读入$ raw_event。调用to_json()会用除raw_event之外的所有其他字段的json重写$ raw_event,因此存储在$ raw_event中的原始消息会丢失。
您想要的是:

<Input sql-ERlogs>
    Module      im_file
    File 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQL\MSSQL\Log\ER*'
    ReadFromLast TRUE
    Exec        $Message = $raw_event; to_json();
</Input>

关于logging - NXLOG日志传送中缺少消息,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27563109/

上一篇:powershell - 单行中的Send-MailMessage命令不起作用

下一篇:arrays - Powershell验证我的数组元素类型

相关文章:

logstash - 在 Logstash 中将日期转换为 UNIX 时间

c++ - 包装在函数中的调试宏的惰性参数评估

java - Log4j2/JPA/Hibernate 日志记录不工作

logging - 使用不带日志的 systemd

c# - 将值传递给 NLog 自定义 LayoutRenderer

elasticsearch - 如果语句不适用于grok过滤器logstash

elasticsearch - 如何获得Elasticsearch多匹配模糊搜索以始终返回最少数量的结果

elasticsearch - 如何删除ELK中的旧日志以给每个应用程序一定的磁盘配额

elasticsearch - Logstash grok失败

search - Elasticsearch query_string与match_phrase结合

©2024 IT工具网  联系我们