elasticsearch - 日志没有从 logstash 推送到 elasticsearch
问题描述
logstash-config.conf
input {
file {
path => ["D:/project/log/samplex.log"]
sincedb_path => "D:/Project/logstash-7.5.0/data/plugins/inputs/file/null"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.1.8:9200"]
index => "db"
#user => "elastic"
#password => "changeme"
} }
控制台日志
D:\Project\logstash-7.5.0\bin>logstash -f logstash-sample.conf
Thread.exclusive 已弃用,使用 Thread::Mutex 将 Logstash 日志发送到 D:/Project/logstash-7.5.0/logs 这是现在通过 log4j2.properties [2019-12-16T23:26:28,465][WARN][logstash.config.source.multilocal] 配置忽略“pipelines.yml”文件,因为指定了模块或命令行选项
[2019-12- 16T23:26:28,580][INFO][logstash.runner] 开始 Logstash
{"logstash.version"=>"7.5.0"} [2019-12-16T23:26:30,143][INFO][org.reflections.Reflections ] 反射花了 32 毫秒扫描 1 个 url,产生 20 个键和 40 个值 [2019-12-16T23:26:31,024][INFO][logstash.outputs.elasticsearch][main] Elasticsearch 池 URL 更新 {:changes=>{ :removed=>[], :add=>[ http://192.168.1.8:9200/]}} [2019-12-16T23:26:31,201][WARN][logstash.outputs.elasticsearch][main] 恢复到 ES 实例的连接 {:url=>" http://192.168.1.8:9200/ "} [ 2019-12-16T23:26:31,256][INFO][logstash.outputs.elasticsearch][main] ES 输出版本确定 {:es_version=>7} [2019-12-16T23:26:31,264][WARN][logstash .outputs.elasticsearch][main] 检测到 6.x 及以上集群:type事件字段不会用于确定文档 _type {:es_version=>7} [2019-12-16T23:26:31,333][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class= >"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.1.8:9200"]} [2019-12-16T23:26:31,404][INFO ][logstash.outputs.elasticsearch][main ] 使用默认映射模板 [2019-12-16T23:26:31,439][WARN][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] 未知类型的量规度量 (org.jruby.specialized.RubyArrayOneObject ) 已为密钥创建:cluster_uuids。这可能会导致无效的序列化。建议将问题记录到负责的开发人员/开发团队。[2019-12-16T23:26:31,449][信息][logstash.javapipeline
][main] 启动管道 {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight "=>1000, "pipeline.sources"=>["D:/Project/logstash-7.5.0/bin/logstash-sample.conf"], :thread=>"#"} [2019-12-16T23: 26:31,506][INFO][logstash.outputs.elasticsearch][main] 尝试安装模板 {:manage_template=>{"index_patterns"=>"logstash- ", "version"=>60001, "settings"=>{ "index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message","match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=> "keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type" =>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type "=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}} [2019-12- 16T23:26:32,041][INFO][logstash.javapipeline][main] 管道启动 {"pipeline.id"=>"main"} [2019-12-16T23:26:32,114][INFO][filewatch.observingtail][main] START , 创建 Discoverer, Watch with file 和 sincedb 集合 [2019-12-16T23:26:32,118][INFO][logstash.agent] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines= >[]} [2019-12-16T23:26:32,502][INFO][logstash.agent] 成功启动 Logstash API 端点 {:port=>9600}count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2019-12-16T23:26:32,502][INFO ][logstash.agent ] 成功启动 Logstash API 端点 {:port=> 9600}count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2019-12-16T23:26:32,502][INFO ][logstash.agent ] 成功启动 Logstash API 端点 {:port=> 9600}
logstash 不读取提到的日志文件及其处于空闲状态。
样本x.log
[2019-12-16T22:30:59,310][INFO][logstash.outputs.elasticsearch][main] Elasticsearch 池 URL 更新 {:changes=>{:removed=>[], :add=>[ http:// 192.168.1.8:9200/] }} [2019-12-16T22:30:59,472][WARN][logstash.outputs.elasticsearch][main] 恢复到 ES 实例的连接 {:url=>" http://192.168. 1.8:9200/ "} [2019-12-16T22:30:59,558][INFO][logstash.outputs.elasticsearch][main] ES 输出版本确定 {:es_version=>7} [2019-12-16T22:30: 59,565][WARN][logstash.outputs.elasticsearch][main] 检测到 6.x 及更高版本的集群:
type事件字段不会用于确定文档 _type {:es_version=>7} [2019-12-16T22:30:59,653][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class= >"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.1.8:9200"]} [2019-12-16T22:30:59,724][INFO ][logstash.outputs.elasticsearch][main ] 使用默认映射模板 dsdasd
解决方案
在 Windows 中,我认为您保存的文件名是 sample.log 但在内部它将被视为文本文件。所以它会像“sample.log.txt”
所以请尝试
input {
file {
#type => "log"
path => "D:/Downloads/logstash-6.7.0/bin/samplex.log.txt"
sincedb_path => "D:/Downloads/logstash-6.7.0/data/plugins/inputs/file/null"
start_position => "beginning"
#ignore_older => 0
}
}
output {
stdout { codec => "rubydebug"}
elasticsearch {
hosts => "http://xx-xx-xx-xx:9200"
index => "db"
}
}
如果问题仍然存在,请尝试删除 sincedb_path 中的空文件,然后重试。
请让我知道,如果问题得到解决。希望这对你有帮助.. !!
推荐阅读
- jquery - jQuery 可排序 - 创建时
- java - 在 Java 中查找 4 个 CheckBox 的有序选择
- django - 如何将 Python 变量传递给 Django 中另一个应用程序中的模板
- node.js - 未找到 Google Calendar API 错误
- php - 尝试访问 Apache 上的文件时权限被拒绝
- powerbi - 在 Power Query M 函数中声明变量
- bash - 在 Bash 中使用 Flock,因此请求只发出一次
- hibernate - springboot throw 列“id”的列说明符不正确,但程序运行良好
- corda - 如何部署具有所选方私有的业务逻辑的cordapp?
- python - 为什么当下一层是 relu 时,tf.layers.batch_normalization 的参数 'scale' 被禁用?