Logstash - 存储RabbitMQ日志 - 多行

时间:2018-04-04 07:27:45

标签: rabbitmq logstash multiline logstash-configuration

我现在已经使用ELK大约六个月了,到目前为止它一直很棒。我正在使用logstash版本6.2.3。 RabbitMQ构成了我的分布式系统的核心(RabbitMQ本身是分布式的),因此跟踪RabbitMQ的日志非常重要。 这个论坛上的大多数其他对话似乎都使用RabbitMQ作为输入/输出阶段,但我只想监视日志。 我发现的唯一问题是RabbitMQ具有多行日志记录,如下所示:

/...aws path/

我找到了一个精彩的代码示例here,我已经将其剥离到了过滤阶段,因此它看起来像这样:

=WARNING REPORT==== 19-Nov-2017::06:53:14 ===
closing AMQP connection <0.27161.0> (...:32799 -> ...:5672, vhost: '/', user: 'worker'):
client unexpectedly closed TCP connection

=WARNING REPORT==== 19-Nov-2017::06:53:18 ===
closing AMQP connection <0.22410.0> (...:36656 -> ...:5672, vhost: '/', user: 'worker'):
client unexpectedly closed TCP connection

=WARNING REPORT==== 19-Nov-2017::06:53:19 ===
closing AMQP connection <0.26045.0> (...:55427 -> ...:5672, vhost: '/', user: 'worker'):
client unexpectedly closed TCP connection

=WARNING REPORT==== 19-Nov-2017::06:53:20 ===
closing AMQP connection <0.5484.0> (...:47740 -> ...:5672, vhost: '/', user: 'worker'):
client unexpectedly closed TCP connection

但是当我将其保存到conf文件并重新启动logstash时,我收到以下错误:

filter {
    if [type] == "rabbitmq" {
        codec => multiline {
            pattern => "^="
            negate => true
            what => "previous"
        }
        grok {
            type => "rabbit"
            patterns_dir => "patterns"
            pattern => "^=%{WORD:report_type} REPORT=+ %{RABBIT_TIME:time_text} ===.*$"
        }
        date {
            type => "rabbit"
            time_text => "dd-MMM-yyyy::HH:mm:ss"
        }
        mutate {
            type => "rabbit"
            add_field => [ 
                "message", 
                "%{@message}" 
            ]
        }
        mutate {
            gsub => [
                "message", "^=[A-Za-z0-9: =-]+=\n", "",
                # interpret message header text as "severity"
                "report_type", "INFO", "1",
                "report_type", "WARNING", "3",
                "report_type", "ERROR", "4",
                "report_type", "CRASH", "5",
                "report_type", "SUPERVISOR", "5"
            ]
        }
    }
}

任何想法可能是什么问题?

谢谢,

3 个答案:

答案 0 :(得分:0)

您无法使用编解码器作为过滤器插件。编解码器只能在输入或输出插件中使用(参见the doc),使用编解码器配置选项。

您必须将多行编解码器放在输入插件中,该插件会生成您的rabbitmq日志。

答案 1 :(得分:0)

如果您要将日志从rabbitMQ服务器发送到带有filebeat的logstash,您应该在那里配置multiline

答案 2 :(得分:0)

答案确实是multiline。目标是将以日期以外的其他内容开头的行与以日期开头的上一行合并。就是这样:

multiline.pattern: '^\d{4}-\d{2}-\d{2}'
multiline.negate: true
multiline.match: after

注意:我之前曾尝试合并任何以空格字符^\s+开头的行,但由于并非所有警告或错误消息都以空格开头,因此无法正常工作。

完整的文件格式输入(7.5.2格式)

filebeat:
  inputs:
  - exclude_lines:
    - 'Failed to publish events caused by: EOF'
    fields:
      type: rabbitmq
    fields_under_root: true
    paths:
    - /var/log/rabbitmq/*.log
    tail_files: false
    timeout: 60s
    type: log
    multiline.pattern: '^\d{4}-\d{2}-\d{2}'
    multiline.negate: true
    multiline.match: after

Logstash模式

# RabbitMQ
RABBITMQDATE %{MONTHDAY}-%{MONTH}-%{YEAR}::%{HOUR}:%{MINUTE}:%{SECOND}
RABBITMQLINE (?m)=%{DATA:severity} %{DATA}==== %{RABBITMQDATE:timestamp} ===\n%{GREEDYDATA:message}

我确信他们有充分的理由以这种奇怪的方式登录RMQ 3.7.x,但不了解他们,确实使我们的生活变得艰难。

相关问题
最新问题