必须将以下部分添加到/System/Library/LaunchDaemons/com.apple.syslogd.plist以激活端口514上的udp以获取syslogd
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
/ etc / services有条目
shell 514/tcp # cmd
syslog 514/udp #
syslog-conn 601/udp # Reliable Syslog Service
syslog-conn 601/tcp # Reliable Syslog Service
运行logstash-1.4.0 / bin / logstash -f logstash-syslog.conf给出:
syslog tcp listener died {:address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:852:in `new'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:135:in `tcp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:90:in `run'"], :level=>:warn}
使用sudo运行它:
syslog udp listener died {:address=>"0.0.0.0:514", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:116:in `udp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:76:in `run'"], :level=>:warn}
sudo lsof -ni -P | grep -i 514
launchd 1 root 25u IPv4 0x4ec86f4f62c22bb5 0t0 UDP *:514
launchd 1 root 26u IPv6 0x4ec86f4f746ca4f5 0t0 UDP *:514
mDNSRespo 47 _mdnsresponder 49u IPv4 0x4ec86f4f62c1faf5 0t0 UDP *:51446
mDNSRespo 47 _mdnsresponder 50u IPv6 0x4ec86f4f62c1f2d5 0t0 UDP *:51446
mDNSRespo 47 _mdnsresponder 58u IPv4 0x4ec86f4f63fd7175 0t0 UDP *:51437
mDNSRespo 47 _mdnsresponder 59u IPv6 0x4ec86f4f62c1f475 0t0 UDP *:51437
syslogd 655 root 6u IPv4 0x4ec86f4f62c22bb5 0t0 UDP *:514
syslogd 655 root 7u IPv6 0x4ec86f4f746ca4f5 0t0 UDP *:514
以下是我的logstash配置的内容:
input {
syslog {
}
}
filter {
json {
source => "message"
}
}
filter {
if ["program"] == "myprogram" {
date {
match => [ "timestamp_rcvd", "UNIX_MS" ]
}
date {
match => [ "timestamp_rcvd", "UNIX_MS" ]
target => "timestamp_rcvd"
}
date {
match => [ "timestamp", "UNIX_MS" ]
target => "timestamp"
}
}
}
filter {
mutate {
remove_field => [ "facility", "message", "@version", "host", "priority", "severity", "facility_label", "severity_label" ]
}
}
output {
stdout { }
elasticsearch { embedded => true }
}
我正在Mac Pro上做这一切。在Google上搜索类似的问题会让我进入https://logstash.jira.com/browse/LOGSTASH-840
答案 0 :(得分:0)
关闭syslogd
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
然后运行logstash工作。希望它可以帮助其他类似问题。