代码之家 › 专栏 › 技术社区 › Karn Kumar

类型错误,最大打开日志服务器日志上的文件

logstash-configuration elastic-stack logstash elasticsearch

Karn Kumar · 技术社区 · 6 年前

我在logstash日志文件中的logstash服务器上收到一些恼人的消息:

第一个看起来像

[2019-01-29T21:27:30,230][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"syslog-2019.01.29", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x7e88287a>], :response=>{"index"=>{"_index"=>"syslog-2019.01.29", "_type"=>"doc", "_id"=>"zsY5nWgB6AmJPdJO_omb", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Rejecting mapping update to [syslog-2019.01.29] as the final mapping would have more than 1 type: [messages, doc]"}}}}

第二 'max_open_files'

[2019-01-29T21:24:57,887][WARN ][filewatch.tailmode.processor] Reached open files limit: 4095, set by the 'max_open_files' option or default, files yet to open: 422

这是 max_open_files 与发送数据的弹性服务器相关。

我增加了限制 /usr/lib/systemd/system/elasticsearch.service 文件和 /etc/security/limits.conf 但没有改变。

我的logstash配置文件:

老年人:

[root@myelk04 ~]# cat /etc/logstash/conf.d/syslog.conf
input {
  file {
    path => [ "/data/SYSTEMS/*/messages.log" ]
    start_position => beginning
    sincedb_path => "/dev/null"
    type => "syslog"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp } %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      remove_field => ["@version", "host", "message", "_type", "_index", "_score", "path"]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
 }
}
}
output {
        if [type] == "syslog" {
        elasticsearch {
                hosts => "myelk01:9200"
                manage_template => false
                index => "syslog-%{+YYYY.MM.dd}"
                document_type => "messages"
  }
 }
}
[root@myelk04 ~]#

当前之一:

我可以把 document_type => "messages" ,因为它会弹出此消息并将默认值现在作为文档。

[root@myelk04 ~]# cat /etc/logstash/conf.d/syslog.conf
input {
  file {
    path => [ "/data/SYSTEMS/*/messages.log" ]
    start_position => beginning
    sincedb_path => "/dev/null"
    type => "syslog"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp } %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      remove_field => ["@version", "host", "message", "_type", "_index", "_score", "path"]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
 }
}
}
output {
        if [type] == "syslog" {
        elasticsearch {
                hosts => "myelk01:9200"
                manage_template => false
                index => "syslog-%{+YYYY.MM.dd}"
  }
 }
}
[root@myelk04 ~]#

1 回复 | 直到 6 年前

ibexit 6 年前

第一个错误是,logstash试图更新特定索引的映射。此更新将为类型“doc”添加新的映射,但已存在“messages”的映射。这将导致同一索引中出现两个映射,这不再受支持。请检查此索引的映射以及您试图在syslog-*索引中索引的文档类型。也许你已经在某些类型的文档中使用了相同的索引,比如“message”?

第二个错误是,已达到打开文件的数目。为了永久增加,你需要跟随 this 说明(您已经部分应用的内容)。不仅在您的ElasticSearch服务器上,而且在Logstash主机上发布此更改。

要在服务器运行时应用此设置,需要执行此命令并重新启动服务:

sudo ulimit -n 65535