我正在尝试将日志从具有文件信号的服务器发送到托管Logstash和Elasticsearch的另一台服务器。一切都是最新和最伟大的(7.8.0)。问题是,我从logstash收到错误消息。
这是我从logstash收到的错误:
[2020-07-17T20:17:43,845][WARN ][logstash.outputs.elasticsearch][main][8ce40c8c6d7b7e92195bf01fa9d2c86d4bb1a87e7565d54444d45d82ebbd311f] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x2594ed33>], :response=>{"index"=>{"_index"=>"logstash-2020.07.14-000001", "_type"=>"_doc", "_id"=>"0yZsXnMBpYpmFLee7cmh", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id '0yZsXnMBpYpmFLee7cmh'. Preview of field's value: '{hostname=server150, os={kernel=3.10.0-1062.18.1.el7.x86_64, codename=Core, name=CentOS Linux, family=redhat, version=7 (Core), platform=centos}, containerized=false, ip=[*censoring public ip*], name=server150, id=3eec437c66d444a59ef5f075a429441d, mac=[*cencored*], architecture=x86_64}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:111"}}}}}
我遵循了其他人对此问题的建议,这就是我的logstash conf文件的样子(尝试使用mutate部分修复它)
input{
file{
path => "/var/log/commands.log"
}
beats{
port => 5044
}
}
filter {
mutate {
rename => ["host", "server"]
convert => {"server" => "string"}
}
if [path] == "/var/log/commands.log" {
grok{
match => { "message" => "\[(%{TIMESTAMP_ISO8601:sys_timestamp})\]\s(?<field1>[0-9a-zA-Z_-]+)\s(?<field2>[0-9a-zA-Z_-]+)\:USER=(?<field3>[0-9a-zA-Z_-]+)\sPWD=(?<field4>[0-9a-zA-Z_/-]+)\sPID=\[(?<field5>[0-9]+)\]\sCMD=\"(?<field6>.*)\"\sExit=\[(?<field7>[0-9]+)\]\sCONNECTION=(?<field8>.*)"
}
}
}
}
output{
elasticsearch {
hosts => ["localhost:9200"]
index => "filteredindex"
}
}
但是我仍然遇到相同的错误。我认为这只是数据不匹配,我无法正常工作。有人知道缺少什么吗?十分感谢!
答案 0 :(得分:0)
我面临着同样的问题。添加以下内容解决了我的问题:
mutate {
remove_field => [ "host" ]
}