看起来像 kv 过滤器.

首先使用grok过滤器分隔您的字段.将最后一部分(键值对)放在一个字段中.使用 grok调试器查找正确的模式.这可能是一种方法:

First use the grok filter to separate your fields. Put the last part (key value pairs) into one field. Use the grok debugger to find the correct pattern. This might be an approach:

%{CISCOTIMESTAMP:timestamp} %{WORD:action}%{SPACE}%{DATA:logsource} %{DATA:interface} %{GREEDYDATA:kvpairs}

在logstash的配置中:

In logstash's config:

grok {
    match => [ 'message', '%{CISCOTIMESTAMP:timestamp} %{WORD:action}%{SPACE}%{DATA:logsource} %{DATA:interface} %{GREEDYDATA:kvpairs}' ]
}

然后使用kv过滤器拆分键值对.这样的事情可能会起作用:

Afterwards use the kv filter to split the key value pairs. Something like this might work:

kv {
    source => "kvpairs" # new field generated by grok before
    field_split => "; " # split fields by semicolon
} 

尝试一下并可能对其进行一些调整，您应该能够正确解析所有日志行.

Try it and maybe adjust it a little bit and you should be able to parse all log lines correctly.