Filebeat无法将数据发送到logstash

时间:2018-01-20 15:19:12

标签: logstash filebeat

我有问题从*.log文件发送数据到logstash。这是文件配置:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /home/centos/logs/*.log  
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
output.logstash:
  hosts: "10.206.81.234:5044"

这是logstash配置:

path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d/*.conf
path.logs: /var/log/logstash
xpack.monitoring.elasticsearch.url: ["10.206.81.236:9200", "10.206.81.242:9200", "10.206.81.243:9200"]
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: logstash
queue.type: persisted
queue.checkpoint.writes: 10

这是/etc/logstash/conf.d/test.conf

中的管道 
input {
    beats {
        port => "5044"
    }
    file{
        path => "/home/centos/logs/mylogs.log"
        tags => "mylog"
    }
    file{
        path => "/home/centos/logs/syslog.log"
        tags => "syslog"
    }
}
filter {
}
output {
    if [tag] == "mylog" {
        elasticsearch {
            hosts => [ "10.206.81.246:9200", "10.206.81.236:9200", "10.206.81.243:9200" ]
            user => "Test"
            password => "123456"
            index => "mylog-%{+YYYY.MM.dd}"
        }
    }

    if [tag] == "syslog" {
        elasticsearch {
            hosts => [ "10.206.81.246:9200", "10.206.81.236:9200", "10.206.81.243:9200" ]
            user => "Test"
            password => "123456"
            index => "syslog-%{+YYYY.MM.dd}"
        }
    }
}

我尝试为mylogsyslog分别设置两个输出。起初,它的工作方式如下:所有内容都传递给mylog-%{+YYYY.MM.dd}索引,甚至来自syslog的文件。所以我尝试将第二个if语句更改为else if。它没有用,所以我把它改回来了。现在,我的文件节点无法将数据发送到logstash,我收到了这个错误:

2018/01/20 15:02:10.959887 async.go:235: ERR Failed to publish events caused by: EOF
2018/01/20 15:02:10.964361 async.go:235: ERR Failed to publish events caused by: client is not connected
2018/01/20 15:02:11.964028 output.go:92: ERR Failed to publish events: client is not connected

我的第二次测试改变了我的管道:

input {
    beats {
        port => "5044"
    }
    file{
        path => "/home/centos/logs/mylogs.log"
    }
}
filter {
    grok{
        match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
    }
}
output {
    elasticsearch {
        hosts => [ "10.206.81.246:9200", "10.206.81.236:9200", "10.206.81.243:9200" ]
        user => "Test"
        password => "123456"
        index => "mylog-%{+YYYY.MM.dd}"
    }
}

如果我在mylog.log文件中添加一些行,filebeat将打印相同的ERR文件,但它会传递给logstash,我可以在Kibana中看到它。任何人都能解释一下为什么它不起作用?这些错误意味着什么?

我正在使用filebeat一个logstash版本6.1。

1 个答案:

答案 0 :(得分:0)

对不起,如果我在英语中犯了错误。

在输出部分,您正在使用"标记" (注意:单数形式)并不存在。但是将其改为"标签"因为字段标签是一个数组而你将它与一个字符串进行比较,所以你不应该工作,所以你应该得到第一个项而不是得到整个数组然后进行比较。试试这个:

if [tags[0]] == "mylog" { ......
相关问题
最新问题