我正在使用ELK堆栈版本5.1.2,我将日志从一个工作者(节点)发送到中央服务器时遇到问题。我在localhost上配置的所有内容都完美无缺,但在开发环境中却没有。在localhost上我使用了SSL,但现在我将其关闭了。所以我的filebeat的conf文件是:
filebeat.prospectors:
- input_type: log
paths:
- e:\logs\*.log
document_type: xxx_log
output.logstash:
hosts: ["xxxx:5043"]
logging.level: error
logging.to_syslog: true
logging.files:
rotateeverybytes: 10485760 # = 10MB
Logstash配置:
input {
beats {
port => "5043"
}
}
filter {
if [type] == "xxx_log" {
multiline {
pattern => "^TID"
negate => true
what => "previous"
}
grok {
break_on_match => false
match => [ "message", "TID: \[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{JAVACLASS:java_class}\] \(%{GREEDYDATA:thread}\) - (?<log_message>(.|\r|\n)*)"]
}
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
user => "elastic"
password => "changeme"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
好的,当我在日志文件中添加行时,例如:
TID: [2017-01-19 13:37:18] INFO [App.java] (main) - Info test...
Filebeat开始收集数据,成功收获后我得到了:
ERR Failed to publish events caused by: write tcp yyyy:51992->xxxx:5043: wsasend: An existing connection was forcibly closed by the remote host.
Logstash日志中没有任何内容。
防火墙关闭,当我从端口5043上的WORK节点打开telnet消息将来到中央服务器,因为Logstash在日志文件中说,我发送无效的帧类型,例如我只发送一些POST来测试端口5043开了。所以端口是开放的,但弹性是空的。有时候,我不知道为什么,我在Filebeat日志中遇到错误:
wsarecv: An existing connection was forcibly closed by the remote host.
此行生成Logstash日志:
11:45:31.094 [nioEventLoopGroup-4-2] ERROR org.logstash.beats.BeatsHandler - Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 83
13:31:43.139 [nioEventLoopGroup-4-4] ERROR org.logstash.beats.BeatsHandler - Exception: An existing connection was forcibly closed by the remote host
感谢您的任何建议。 雅罗