我在虚拟机上安装了一个ELK堆栈,我想从一些Ruby on Rails应用程序中收集日志。
在我有Rails应用程序的每个vm上,我已经使用此配置安装了Filebeat:
filebeat:
prospectors:
-
paths:
- path_to_rails_log_file.log
input_type: log
fields_under_root: true
fields:
tags: ['json']
output:
logstash:
hosts: ["192.168.1.232:5044"]
bulk_max_size: 1024
tls:
certificate_authorities: ["path_to_certificate.crt"]
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
在具有ELK堆栈的VM上,我有02-beats-input.conf:
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/filebeat-forwarder.crt"
ssl_key => "/etc/pki/tls/private/filebeat-forwarder.key"
}
}
filter {
if [tag][json] {
json {
source => "message"
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
我不明白为什么在Kibana web界面中我的日志如下:
message: {"method":"GET","path":"/","format":"html","controller":"application","action":"index","status":200, "duration":7.91,"view":0.31,"db":0.0,"ip":"req_ip","route":"application#index","request_id":"some_id","source":"127.0.1.1","tags":["request"],"@timestamp":"2017-02-10T06:52:01.984Z","@version":"1"} @version:1 @timestamp:February 10th 2017, 08:52:10.451 offset:25,747 type:log tags:json, beats_input_codec_plain_applied beat.hostname:deployer-VirtualBox
我希望,如果可能的话,每个条目都是没有此密钥的密钥“message”下的内容。
我做错了什么? :(
P.S。我的Rails日志是JSON格式,我正在从Filebeat读取该文件。
答案 0 :(得分:1)
在Logstash配置中,您可能应该将if [tag][json] {替换为if [tags][json] {