我更改配置以添加地理位置字段后,整个系统崩溃。
当我的配置如下所示时,我的系统正常运行:
input {
syslog
{
host => "localhost4"
port => 5140
type => "system"
}
}
filter {
grok { match => { message => [ ".*ipaddr: %{IP:ipaddr}.*" ] }}
grok { match => { message => [ ".*dnsname: %{HOSTNAME:query_name}.*" ] }}
grok { match => { message => [ ".*mal_rank: %{NUMBER:malrank:int}.*" ] }}
grok { match => { message => [ ".*packet_size: %{NUMBER:packetsize:int}.*" ] }}
grok { match => { message => [ ".*source_ip: %{IP:sourceip}.*" ] }}
grok { match => { message => [ ".*dest_ip: %{IP:dest_ip}.*" ] }}
grok { match => { message => [ ".*source_ip: %{IP:src_ip}.*" ] }}
grok { match => { message => [ ".*sport: %{NUMBER:sport:int}.*" ] }}
}
output {
elasticsearch { hosts => ["localhost4:9200"] }
stdout { codec => rubydebug }
}
但是当我将代码添加到我的过滤器
时input {
syslog
{
host => "localhost4"
port => 5140
type => "system"
}
}
filter {
grok { match => { message => [ ".*ipaddr: %{IP:ipaddr}.*" ] }}
grok { match => { message => [ ".*dnsname: %{HOSTNAME:query_name}.*" ] }}
grok { match => { message => [ ".*mal_rank: %{NUMBER:malrank:int}.*" ] }}
grok { match => { message => [ ".*packet_size: %{NUMBER:packetsize:int}.*" ] }}
grok { match => { message => [ ".*source_ip: %{IP:sourceip}.*" ] }}
grok { match => { message => [ ".*dest_ip: %{IP:dest_ip}.*" ] }}
grok { match => { message => [ ".*source_ip: %{IP:src_ip}.*" ] }}
grok { match => { message => [ ".*sport: %{NUMBER:sport:int}.*" ] }}
geoip {
source => "ipaddr"
target => "geoip"
add_tag => ["geoip"]
database => "/etc/logstash/GeoLiteCity.dat"
}
}
output {
elasticsearch { hosts => ["localhost4:9200"] }
stdout { codec => rubydebug }
}
我可以运行curl命令并获得正确的输出
curl http://localhost:9200/logstash-2016.04.19/_mapping/system/field/geoip.location?pretty
并返回:
{
"logstash-2016.04.19" : {
"mappings" : {
"system" : {
"geoip.location" : {
"full_name" : "geoip.location",
"mapping" : {
"location" : {
"type" : "geo_point"
}
}
}
}
}
}
}
但是我没有得到任何东西,我的logstash停止从syslog中读取。
有什么建议吗?
答案 0 :(得分:0)
我不确定延迟是什么,但是如果我让系统等待大约一个小时,它会再次开始处理日志。我只是想确认这段代码是否正常运行。