Question

运行时，我在logstash日志中遇到了这个异常。

[2018-01-14T15：42：00912]   [错误] [logstash.outputs.elasticsearch]   未知设置＆＃39;主持人＆＃39;对于弹性搜索       [2018-01-14T15：42：00,921] [错误] [logstash.agent]无法执行操作{：action =＆gt; LogStash :: PipelineAction :: Create /       pipeline_id：main，：exception =＆gt;＆＃34; LogStash :: ConfigurationError＆＃34;，       ：message =＆gt;＆＃34;您的配置出了问题。＆＃34;，        ：回溯=＆GT; [＆＃34;在/ usr /共享/ logstash / logstash核/ LIB / logstash /配置

/mixin.rb:89:in config_init "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:63:in初始化＆＃39;＆＃34;，   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/shared.rb：3：在   initialize'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:25:in初始化＆＃39;＆＃34 ;,   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/plugins/plugin_factory.rb：86：在   plugin'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:114:in插件＆＃39;＆＃34;，＆＃34;（eval）：87：在<eval>'","org/jruby/RubyKernel.java:994:in eval＆＃39;＆＃34;中，   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb：86：在   initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:171:in初始化＆＃39;＆＃34 ;,   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb：40：在   execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:335:in块   在converge_state＆＃39;＆＃34;，   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/agent.rb：141：在   with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:332:in块   在converge_state＆＃39;＆＃34;，＆＃34; org / jruby / RubyArray.java：1734：在each'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:319:in converge_state＆＃39;＆＃34;中，   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/agent.rb:166：在block in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines＆＃39;＆＃34;中，   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/agent.rb：164：在   converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in执行＆＃39;＆＃34 ;,   ＆＃34; /usr/share/logstash/logstash-core/lib/logstash/runner.rb：343：在   block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in阻止初始化＆＃39;＆＃34;]}

这是我的配置：

   input{
 lumberjack {
  port => 5044
  type => "logs"
  ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
  ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
 }    
}


filter{
 if[type] == "syslog" {
   grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:sysylog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
     add_field => ["received_at", "%{@timestamp}" ] 
     add_field => ["received_from", "%{host}" ]
   }
   syslog_pri {}
   date {
     match => ["syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
   }
 }
}

output{
  elasticsearch { host =>localhost }
  stdout { codec => rubydebug }
}

我该如何解决？谢谢。我使用ELK的最新版本

Answer 1

如果您检查输出弹性搜索插件，它有主机参数它需要一个hosts参数和一个字符串数组 https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-hosts
我的logstash-＆gt;弹性插件如下所示：

elasticsearch{
  hosts=>["localhost:9200"]
  index=>"logstash-%{+YYYY.MM.dd}"
}

您可能还需要设置索引参数。

Logstash在运行

1 个答案: