代码之家  ›  专栏  ›  技术社区  ›  krock1516

Elasticserach未通过logstash为新管道创建索引

logstash-configuration elasticsearch
  •  0
  • krock1516  · 技术社区  · 6 年前

    我已经设置了一个ELK,但是我看到elasticsearch没有创建索引,无法上传数据,服务elasticsearch和Logstash都在运行。。

    弹性配置: 

    [root@aruba-elk2 rm_logs]# cat /etc/elasticsearch/elasticsearch.yml
# Elasticserach config
#########################
cluster.name: log-cohort-test
node.name: aruba-elk2
node.master: true
path:
    data: /elk/lib/elasticsearch
    logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
bootstrap.system_call_filter: False
[root@aruba-elk2 rm_logs]#
[root@aruba-elk2 rm_logs]#

    日志存储配置: 

        [root@aruba-elk2 rm_logs]# cat /etc/logstash/logstash.yml
    path.data: /var/lib/logstash
    path.logs: /var/log/logstash

[root@aruba-elk2 rm_logs]# cat /etc/logstash/conf.d/logstash-syslog.conf
input {
  file {
    path => [ "/elk/rm_logs/*.txt" ]
    type => "rmlog"
  }
}

filter {
  if [type] == "rmlog" {
    grok {
      match => { "message" => "%{HOSTNAME:hostname},%{DATE:date},%{HOUR:hour1}:%{MINUTE:minute1},%{NUMBER}-%{WORD},%{USER:user},%{USER:user2} %{NUMBER:pid} %{NUMBER:float} %{NUMBER:float} %{NUMBER:number1} %{NUMBER:number2} %{DATA} %{HOUR:hour2}:%{MINUTE:minute2} %{HOUR:hour3}:%{MINUTE:minute3} %{GREEDYDATA:command},%{PATH:path}" }
      add_field => [ "received_at", "%{@timestamp}" ]
   }
 }
}

output {
        if [type] == "rmlog" {
        elasticsearch {
                hosts => ["aruba-elk2:9200"]
                manage_template => false
                index => "rmlog-%{+YYYY.MM.dd}"
                #document_type => "messages"
  }
 }
}

    输入数据源: 

    [root@aruba-elk2 rm_logs]# cd /elk/rm_logs/
[root@aruba-elk2 rm_logs]# ls -ltrh | head
total 2.6M
-rw-r--r-- 1 root root  558 Jan 11 11:27 dbxchw092.txt
-rw-r--r-- 1 root root  405 Jan 11 11:27 dbxtx220.txt
-rw-r--r-- 1 root root  241 Jan 11 11:27 dbxcvm139.txt
-rw-r--r-- 1 root root  455 Jan 11 11:27 dbxcnl038.txt
-rw-r--r-- 1 root root  230 Jan 11 11:27 dbxchw052.txt
-rw-r--r-- 1 root root  143 Jan 11 11:27 dbxtx222.txt
-rw-r--r-- 1 root root  577 Jan 11 11:27 dbxtx224.txt
-rw-r--r-- 1 root root  274 Jan 11 11:27 dbxcvm082.txt
-rw-r--r-- 1 root root  281 Jan 11 11:27 dbxcsb003.txt

    以上数据文件示例: 

    testhost-in2,19/01/11,06:34,04-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:00 rm -rf /test/ehf/users/arnav-090119-184844,/dv/ehf/users/arnav-090119-
testhost-in2,19/01/11,06:40,09-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:00 rm -rf /dv/ehf/users/arnav-090119-184844,/dv/ehf/users/arnav-090119-\
testhost-in2,19/01/11,06:45,14-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:01 rm -rf /

    日志:

    日志存储日志: 

    [root@aruba-elk2 logstash]# cat logstash-plain.log
[2019-01-12T23:48:31,653][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.5.4"}
[2019-01-12T23:48:34,959][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>48, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-01-12T23:48:35,374][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://aruba-elk2:9200/]}}
[2019-01-12T23:48:35,588][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://aruba-elk2:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://aruba-elk2:9200/][Manticore::SocketException] Connection refused"}
[2019-01-12T23:48:35,608][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//aruba-elk2:9200"]}
[2019-01-12T23:48:36,063][INFO ][logstash.inputs.file     ] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_076330d5fd2c2b811bc1960a3d0547be", :path=>["/elk/rm_logs/*.txt"]}
[2019-01-12T23:48:36,095][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x424bb675 run>"}
[2019-01-12T23:48:36,155][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2019-01-12T23:48:36,156][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-01-12T23:48:36,542][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-01-12T23:48:40,796][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://aruba-elk2:9200/"}
[2019-01-12T23:48:40,855][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-01-12T23:48:40,859][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}


    [root@aruba-elk2 elasticsearch]# cat gc.log.0.current| tail
2019-01-13T00:13:29.280+0530: 1237.781: Total time for which application threads were stopped: 0.0002681 seconds, Stopping threads took: 0.0000316 seconds
2019-01-13T00:13:31.281+0530: 1239.782: Total time for which application threads were stopped: 0.0003670 seconds, Stopping threads took: 0.0000586 seconds
2019-01-13T00:13:32.281+0530: 1240.782: Total time for which application threads were stopped: 0.0003134 seconds, Stopping threads took: 0.0000708 seconds
2019-01-13T00:13:37.282+0530: 1245.783: Total time for which application threads were stopped: 0.0004663 seconds, Stopping threads took: 0.0001315 seconds
2019-01-13T00:13:51.284+0530: 1259.785: Total time for which application threads were stopped: 0.0004230 seconds, Stopping threads took: 0.0000691 seconds
2019-01-13T00:13:57.286+0530: 1265.787: Total time for which application threads were stopped: 0.0008421 seconds, Stopping threads took: 0.0002697 seconds
2019-01-13T00:13:58.287+0530: 1266.787: Total time for which application threads were stopped: 0.0004467 seconds, Stopping threads took: 0.0000706 seconds
2019-01-13T00:14:11.288+0530: 1279.789: Total time for which application threads were stopped: 0.0004702 seconds, Stopping threads took: 0.0001105 seconds
2019-01-13T00:14:18.289+0530: 1286.790: Total time for which application threads were stopped: 0.0004123 seconds, Stopping threads took: 0.0000750 seconds

    任何帮助都将不胜感激。。

    0 回复  |  直到 6 年前
    推荐文章
    khateeb  ·  如何进行Elasticsearch ESQL Distinct查询?
    1 年前
    dabljues  ·  带过滤器和出现次数的ElasticSearch查询
    1 年前
    user16971617  ·  [余弦]相似性不支持弹性搜索中幅度为零的向量
    1 年前
    omnes_flumina  ·  Elasticsearch[size]查询格式错误,查询名称后没有start_object
    1 年前
    Peter Penzov  ·  为客户端安装兼容的弹性搜索版本
    1 年前
    d3vr10  ·  PGSync错误,连接到elasticsearch时发生身份验证异常(401):“无法为REST请求[/]对用户[elastic]进行身份验证”
    1 年前
    Bardo  ·  使用logstash在ELK上获取城市名称的地理位置
    1 年前
    Rodrick Zadrozny  ·  在补全提示中使用正则表达式时不起作用
    1 年前
    I lebzdel I  ·  如何为单个字段添加char_filter
    1 年前
    I lebzdel I  ·  如果文本字段包含日期,如何添加模糊性
    1 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号