如何使用有效的时间格式将带有FluentD的JSON文件转发到Graylog2

我正在使用FluentD和Graylog GELF进行日志记录,但收效甚微。我想转发一个JSON文件:

<source>
  @type tail
  path /var/log/suricata/eve.json
  pos_file /var/log/td-agent/suri_eve.pos # pos record
  tag ids
  format json
  # JSON time stamp: 2016-02-01T11:52:49.157072+0000
  # this timestamp is ruby's t.strftime("%Y-%m-%dT%H:%M:%S.%6N%z")
  time_format %Y-%m-%dT%H:%M:%S.%6N%z
  time_key timestamp # I show a JSON message below
</source>

<match **>
  @type graylog
  host 1.2.3.4 #(optional; default="localhost")
  port 12201 #(optional; default=9200)
  flush_interval 30
  num_threads 2
</match>

这会起作用,但会产生错误消息:

2016-02-01 15:30:11+0000[警告]:插件/in_tail。rb:263:救援 convert_line_to_event: “{\”timestamp\“:\”2016-02-01T15:27:09.000087+0000\“,\”flow_id\“:51921072,\”event_type“:\“flow\”,\”src_ip\“:”10.1.1.85\“,”src_port\“:59820,\”dest_ip“:”224.0.0.252\“,“dest_port\”:5355,\”proto\“:“UDP”,\“flow”:{\“pkts_toserver\”:4,\”pkts_toclient \“:0”,\“bytes_toserver\”:294,\“bytes_toclient\”:0,\“开始\”:\“2016-02-01T15:26:30.393371+0000\”,\”结束\“:\”2016-02-0T15:26:27.670904+0000\“,\”年龄\“:7,\”state\“:\”new\“,\”reason\“:\“timeout\”}}“error=”无效的时间格式:值=2016-02-01T15:27:09.000087+0000, error_class=ArgumentError,error=无效的strptime格式- `%Y-%m-%dT%H:%m:%S.%6N%z'“

原始邮件如下所示:

{"timestamp":"2016-02-01T15:31:02.000699+0000","flow_id":52015920,"event_type":"flow","src_ip":"10.1.1.44","src_port":49313,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":128,"bytes_toclient":0,"start":"2016-02-01T15:30:31.348568+0000","end":"2016-02-01T15:30:31.759024+0000","age":0,"state":"new","reason":"timeout"}}

所以我检查了 Ruby docs 。我对FluentD不太熟悉,但据我所知,时间格式表达式应该适合吗?我试过了 format=none 但这也行不通。