我发现我的logstash丢失了消息。出于测试目的,我已将关键字" MEM" 添加到Multihub-log,后者每隔一分钟显示在日志文件中。我等了几分钟没有任何结果。
之后我从配置中删除了 MultihubTST2-log 和 MultihubTST3-log ,之后我才收到zabbix通知(来自logstash)输出)。
请告知如何解决此问题,我的配置文件可能有问题。
我的配置文件如下:
input {
file {
path => ["C:\QUIK\Multihub\multihub.log"]
type => "Multihub-log"
codec => plain { charset => "UTF-8" }
start_position => "end"
stat_interval => 1
discover_interval => 5
sincedb_path => "C:\Progra~1\logstash\sincedb\sincedb_multihub"
}
file {
path => ["C:\QUIK\Multihub_TST2\multihub.log"]
type => "MultihubTST2-log"
codec => plain { charset => "UTF-8" }
start_position => "end"
stat_interval => 1
discover_interval => 5
sincedb_path => "C:\Progra~1\logstash\sincedb\sincedb_multihubtst2"
}
file {
path => ["C:\QUIK\Multihub_TST3\multihub.log"]
type => "MultihubTST3-log"
codec => plain { charset => "UTF-8" }
start_position => "end"
stat_interval => 1
discover_interval => 5
sincedb_path => "C:\Progra~1\logstash\sincedb\sincedb_multihubtst3"
}
}
filter {
if [type] == "Multihub-log" and [message] !~ /MEM|exception|Disconnect|Down|Fail|Unavailable|gate/ {
drop {}
}
mutate {
add_field => { "[@metadata][zabbix_key_mhub]" => "mhub.prod1" }
}
if [type] == "MultihubTST2-log" and [message] !~ /MEM|exception|Disconnect|Down|Fail|Unavailable|gate/ {
drop {}
}
mutate {
add_field => { "[@metadata][zabbix_key_tst2]" => "mhub.tst2" }
}
if [type] == "MultihubTST3-log" and [message] !~ /MEM|exception|Disconnect|Down|Fail|Unavailable|gate/ {
drop {}
}
mutate {
add_field => { "[@metadata][zabbix_key_tst3]" => "mhub.tst3" }
}
}
output {
if [type] == "Multihub-log" {
zabbix {
zabbix_host => "host"
zabbix_key => "[@metadata][zabbix_key_mhub]"
zabbix_server_host => "10.1.110.71"
zabbix_value => "message"
}
}
if [type] == "MultihubTST2-log" {
zabbix {
zabbix_host => "host"
zabbix_key => "[@metadata][zabbix_key_tst2]"
zabbix_server_host => "10.1.110.71"
zabbix_value => "message"
}
}
if [type] == "MultihubTST3-log" {
zabbix {
zabbix_host => "host"
zabbix_key => "[@metadata][zabbix_key_tst3]"
zabbix_server_host => "10.1.110.71"
zabbix_value => "message"
}
}
stdout { codec => rubydebug }
}
提前致谢!