增加日志消息的最大大小

时间:2018-02-18 22:53:40

标签: elasticsearch graylog2

我想使用elasticsearch增加graylog中保存的邮件的最大大小。

最大邮件大小为32 kb

所以我更新映射以删除full_message上的索引:

graylog-custom-mapping.json

{
  "template": "graylog_*",
  "mappings": {
    "message": {
      "properties": {
        "full_message": {
          "index": "no",
          "doc_values": false,
          "type": "string"
        }
      }
    }
  }
}

curl -X PUT -d @'graylog-custom-mapping.json' 'http://localhost:9200/_template/graylog-custom-mapping?pretty'

{
  "acknowledged" : true
}

我从Graylog界面创建了一个新的Graylog索引(graylog_5)(系统>指数>维护>手动循环导流板)

但是我的映射似乎没有被认可:

curl -X GET 'http://localhost:9200/graylog_5/_mapping/message'

...
"full_message": {
    "type": "string",
    "analyzer": "standard"
},
...

我的活动模板:

{
  "graylog-internal": {
    "order": -2147483648,
    "template": "graylog_*",
    "settings": {
      "index": {
        "analysis": {
          "analyzer": {
            "analyzer_keyword": {
              "filter": "lowercase",
              "tokenizer": "keyword"
            }
          }
        }
      }
    },
    "mappings": {
      "message": {
        "_source": {
          "enabled": true
        },
        "dynamic_templates": [
          {
            "internal_fields": {
              "mapping": {
                "index": "not_analyzed",
                "type": "string"
              },
              "match": "gl2_*"
            }
          },
          {
            "store_generic": {
              "mapping": {
                "index": "not_analyzed"
              },
              "match": "*"
            }
          }
        ],
        "properties": {
          "full_message": {
            "analyzer": "standard",
            "index": "analyzed",
            "type": "string"
          },
          "streams": {
            "index": "not_analyzed",
            "type": "string"
          },
          "source": {
            "analyzer": "analyzer_keyword",
            "index": "analyzed",
            "type": "string"
          },
          "message": {
            "analyzer": "standard",
            "index": "analyzed",
            "type": "string"
          },
          "timestamp": {
            "format": "yyyy-MM-dd HH:mm:ss.SSS",
            "type": "date"
          }
        }
      }
    },
    "aliases": {}
  },
  "graylog-custom-mapping": {
    "order": 0,
    "template": "graylog_*",
    "settings": {},
    "mappings": {
      "message": {
        "properties": {
          "full_message": {
            "index": "no",
            "type": "string",
            "doc_values": false
          }
        }
      }
    },
    "aliases": {}
  }
}

我的配置有什么问题?

Graylog 2.1.2 + ES 2.4.2

我有以下日志:

[2018-02-16 16:26:36,598][INFO ][cluster.metadata         ] [Zero] [graylog_5] creating index, cause [api], templates [graylog-internal, graylog-custom-mapping], shards [4]/[0], mappings [message]
[2018-02-16 16:26:37,091][INFO ][cluster.routing.allocation] [Zero] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[graylog_5][1], [graylog_5][2], [graylog_5][0], [graylog_5][2], [graylog_5][0]] ...]).
[2018-02-16 16:27:03,665][INFO ][cluster.metadata         ] [Zero] [graylog_5] update_mapping [message]
[2018-02-16 16:27:03,816][INFO ][cluster.metadata         ] [Zero] [graylog_5] update_mapping [message]

THX

2 个答案:

答案 0 :(得分:0)

问题不是弹性搜索索引,而是从rsyslog udp协议上传的最大邮件大小。

修复它:

/etc/rsyslog.conf

并定义

$MaxMessageSize 256k

在第一行。

答案 1 :(得分:0)

我对nxlog有同样的问题。更改ShortMessageLength中的etc/nxlog/nxlog.conf值解决了我的问题。我希望它可能对某人有用。