我正面临以下错误:
无法获取午睡。你有与模式匹配的指数吗?
我正在使用Ubuntu 14.04版本。我的IP是192.168.100.93。
以下是我的配置。在这里,我测试了elasticsearch,结果是:
root@IT-PC:/etc/logstash/conf.d# curl -X GET http://localhost:9200
{
"name" : "Isaiah Bradley",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.3.5",
"build_hash" : "90f439ff60a3c0f497f91663701e64ccd01edbb4",
"build_timestamp" : "2016-07-27T10:36:52Z",
"build_snapshot" : false,
"lucene_version" : "5.5.0"
},
"tagline" : "You Know, for Search"
}
root@IT-PC:/etc/logstash/conf.d# sudo nano 01-inputs.conf
#tcp syslog stream via 5140
input {
tcp {
type => "syslog"
port => 5140
}
}
#udp syslogs tream via 5140
input {
udp {
type => "syslog"
port => 5140
}
}
root@IT-PC:/etc/logstash/conf.d# sudo nano 10-syslog.conf
filter {
if [type] == "syslog" {
#change to pfSense ip address
if [host] =~ /192\.168\.100\.93/ {
mutate {
add_tag => ["PFSense", "Ready"]
}
}
if "Ready" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}
filter {
if [type] == "syslog" {
mutate {
remove_tag => "Ready"
}
}
}
filter {
if "syslog" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%$
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
locale => "en"
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
# if "_grokparsefailure" in [tags] {
# drop { }
# }
}
}
这是30-outputs.conf文件及其内容:
root@IT-PC:/etc/logstash/conf.d# sudo nano 30-outputs.conf
output {
elasticsearch {
hosts => localhost
index => "logstash-%{+YYYY.MM.dd}" }
# stdout { codec => rubydebug }
}
我不知道我在哪里犯错误。否则发送除Digital Ocean之外的一些URL以正确安装ELK。