在使用文件input,logstash-forwarder成功设置ELK并从几台服务器看到Kibanastream中的日志之后,我试图build立一个TCPinput:
tcp { codec => "json" host => "localhost" port => 9250 tags => ["sensu"] } 发件人是敏感的,而且消息确实是JSON – 用tcpdump命令检查了这个。
Logstash日志表示连接被接受:
{:timestamp=>"2015-06-15T14:03:39.832000+1000", :message=>"Accepted connection", :client=>"127.0.0.1:38065", :server=>"localhost:9250", :level=>:debug, :file=>"logstash/inputs/tcp.rb", :line=>"146", :method=>"client_thread"} {:timestamp=>"2015-06-15T14:03:39.962000+1000", :message=>"config LogStash::Codecs::JSONLines/@charset = \"UTF-8\"", :level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"112", :method=>"config_init"} {:timestamp=>"2015-06-15T14:03:39.963000+1000", :message=>"config LogStash::Codecs::Line/@charset = \"UTF-8\"", :level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"112", :method=>"config_init"}
然而,数据似乎没有进一步的,在基巴纳找不到。
我去了其他的input,然后观察弹性search(curl'localhost:9200 / _cat / shards')中的碎片,它的大小没有增加。
根据这个环节,我走在正确的道路上,但可能只是做一些愚蠢的地方…在此先感谢。
logstash.conf:
input { file { path => ["/var/log/messages", "/var/log/secure", "/var/log/iptables"] type => "syslog" start_position => "end" } lumberjack { port => 5043 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } tcp { codec => "json" host => "localhost" port => 9250 tags => ["sensu"] } } output { elasticsearch { host => "localhost" cluster => "webCluster" } }
elasticsearch.yml:
cluster.name: webCluster node.name: "bossNode" node.master: true node.data: true index.number_of_shards: 1 index.number_of_replicas: 0 network.host: localhost
经过几个令人沮丧的日子,我已经得出结论,json / json_lines编解码器被破坏 – 可能只有当使用tcpinput。
但是,我发现一个解决方法,使用一个filter:
filter { if ("sensu" in [tags]) { json { "source" => "message" } } }
这和几个突变产生了我最初试图达到的效果。 后人,这里是我的工作logstash.conf,它结合了来自sensu的日志和CPU /内存度量数据:
input { file { path => [ "/var/log/messages" , "/var/log/secure" ] type => "syslog" start_position => "end" } file { path => "/var/log/iptables" type => "iptables" start_position => "end" } file { path => ["/var/log/httpd/access_log" ,"/var/log/httpd/ssl_access_log" ] type => "apache_access" start_position => "end" } file { path => [ "/var/log/httpd/error_log" , "/var/log/httpd/ssl_error_log" ] type => "apache_error" start_position => "end" } lumberjack { port => 5043 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } tcp { host => "localhost" port => 9250 mode => "server" tags => ["sensu"] } } filter { if ("sensu" in [tags]) { json { "source" => "message" } mutate { rename => { "[check][name]" => "type" } replace => { "host" => "%{[client][address]}" } split => { "[check][output]" => " " } add_field => { "output" => "%{[check][output][1]}" } remove_field => [ "[client]", "[check]", "occurrences" ] } } else if([type] == "apache_access") { grok { match => { "message" => "%{IP:client}" } } } } filter { mutate { convert => { "output" => "float" } } } output { elasticsearch { host => "localhost" cluster => "webCluser" } }
无关问题:“输出”是作为由空格分隔的多个值接收的,因此是“拆分”操作。 第二个元素被使用,然后转换为浮动,所以Kibana很好地graphics(我学到了很难的东西)。