我正在使用logstash将syslog数据发送到elasticsearch。 除了logstash代理正在发送带有时间戳+5小时的数据之外,一切正常。
这是我的configuration:
input { file { type => "syslog" # modify to path to suit your local syslog configuration. # The below will recursively grab all files in /var/log/rsyslog that end in .log path => ["/var/log/syslog", '/var/log/auth.log', '/var/log/faillog', '/var/log/mail.log', '/var/log/postgresql/postgresql-9.1-main.log'] # comment out below after logstash has slurped in all of your existing logs otherwise # you risk it double indexing if you lose your sincedb file. #start_position => "beginning" } file { type => "jbosslog" path => [ "/data/jboss-4.2.3.GA/server/bla/log/server.log" ] } } output { redis { # change below to the hostname or ip address of your redis server. can add more than one redis host. host => [ "192.168.117.39" ] data_type => 'list' key => 'logstash' batch => true } stdout { } } 日志的标准输出如下所示:
2013-03-06T17:03:56.934Z file://bla/var/log/postgresql/postgresql-9.1-main.log: 2013-03-06 12:03:56 EST LOG: archive command failed with exit code 12
您在示例中给出的时间戳看起来是正确的。 大概18分钟后,你发布这个问题。
看起来你的服务器(我认为你有一个很好的理由,但你可能不是)configuration了一个美国/东部时区或类似的东西。 但logstash以UTC时间logging所有内容,以防止存储和处理本地时间时发生的各种问题。