我想使用elasticsearch增加graylog中保存的邮件的最大大小。
最大邮件大小为32 kb
所以我更新映射以删除full_message上的索引:
graylog-custom-mapping.json
:
{
"template": "graylog_*",
"mappings": {
"message": {
"properties": {
"full_message": {
"index": "no",
"doc_values": false,
"type": "string"
}
}
}
}
}
curl -X PUT -d @'graylog-custom-mapping.json' 'http://localhost:9200/_template/graylog-custom-mapping?pretty'
{
"acknowledged" : true
}
我从Graylog界面创建了一个新的Graylog索引(graylog_5)(系统>指数>维护>手动循环导流板)
但是我的映射似乎没有被认可:
curl -X GET 'http://localhost:9200/graylog_5/_mapping/message'
...
"full_message": {
"type": "string",
"analyzer": "standard"
},
...
我的活动模板:
{
"graylog-internal": {
"order": -2147483648,
"template": "graylog_*",
"settings": {
"index": {
"analysis": {
"analyzer": {
"analyzer_keyword": {
"filter": "lowercase",
"tokenizer": "keyword"
}
}
}
}
},
"mappings": {
"message": {
"_source": {
"enabled": true
},
"dynamic_templates": [
{
"internal_fields": {
"mapping": {
"index": "not_analyzed",
"type": "string"
},
"match": "gl2_*"
}
},
{
"store_generic": {
"mapping": {
"index": "not_analyzed"
},
"match": "*"
}
}
],
"properties": {
"full_message": {
"analyzer": "standard",
"index": "analyzed",
"type": "string"
},
"streams": {
"index": "not_analyzed",
"type": "string"
},
"source": {
"analyzer": "analyzer_keyword",
"index": "analyzed",
"type": "string"
},
"message": {
"analyzer": "standard",
"index": "analyzed",
"type": "string"
},
"timestamp": {
"format": "yyyy-MM-dd HH:mm:ss.SSS",
"type": "date"
}
}
}
},
"aliases": {}
},
"graylog-custom-mapping": {
"order": 0,
"template": "graylog_*",
"settings": {},
"mappings": {
"message": {
"properties": {
"full_message": {
"index": "no",
"type": "string",
"doc_values": false
}
}
}
},
"aliases": {}
}
}
我的配置有什么问题?
Graylog 2.1.2 + ES 2.4.2
我有以下日志:
[2018-02-16 16:26:36,598][INFO ][cluster.metadata ] [Zero] [graylog_5] creating index, cause [api], templates [graylog-internal, graylog-custom-mapping], shards [4]/[0], mappings [message]
[2018-02-16 16:26:37,091][INFO ][cluster.routing.allocation] [Zero] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[graylog_5][1], [graylog_5][2], [graylog_5][0], [graylog_5][2], [graylog_5][0]] ...]).
[2018-02-16 16:27:03,665][INFO ][cluster.metadata ] [Zero] [graylog_5] update_mapping [message]
[2018-02-16 16:27:03,816][INFO ][cluster.metadata ] [Zero] [graylog_5] update_mapping [message]
THX
答案 0 :(得分:0)
问题不是弹性搜索索引,而是从rsyslog udp协议上传的最大邮件大小。
修复它:
/etc/rsyslog.conf
并定义
$MaxMessageSize 256k
在第一行。
答案 1 :(得分:0)
我对nxlog
有同样的问题。更改ShortMessageLength
中的etc/nxlog/nxlog.conf
值解决了我的问题。我希望它可能对某人有用。