Monitoring
使用 Logstash 作為托運人?
我們正在從伺服器發送日誌,並在每台伺服器上使用 THE logstash 進行發送。
所以我們從 glob 讀取日誌
"/root/Desktop/Logstash-Input/**/*_log"
。input { file{ path => "/root/Desktop/Logstash-Input/**/*_log" start_position => "beginning" } }
從這個 glob 中,我們提取要添加到事件中的欄位。
path
例如:從目錄中path
提取server
,logtype
等。我們這樣做:filter { grok { match => ["path", "/root/Desktop/Logstash-Input/(?<server>[^/]+)/(?<logtype>[^/]+)/(?<logdate>[\d]+.[\d]+.[\d]+)/(?<logfilename>.*)_log"] } }
lumberjack
然後我們使用輸出外掛將這些日誌輸出到中央logstash伺服器。output { lumberjack { hosts => ["xx.xx.xx.xx"] port => 4545 ssl_certificate => "./logstash.pub" } stdout { codec => rubydebug } }
問題是發送到中央伺服器的日誌會失去使用
grok
. 例如server
,logtype
中央伺服器上不存在 , 等。但是,客戶端電腦控制台顯示添加的欄位,但僅在中央 logstash 伺服器上存在 ,message
。timestamp``version
客戶端(從哪裡運送日誌)控制台:
output received {:event=>{"message"=>"2014-05-26T00:00:01+05:30 host crond[268]: (root) CMD (2014/05/31/server2/cron/log)", "@version"=>"1", "@timestamp"=>"2014-07-16T06:07:21.927Z", "host"=>"host", "path"=>"/root/Desktop/Logstash-Input/Server2/CronLog/2014.05.31/cron_log", "server"=>"Server2", "logtype"=>"CronLog", "logdate"=>"2014.05.31", "logfilename"=>"cron"}, :level=>:debug, :file=>"(eval)", :line=>"37"} { "message" => "2014-05-26T00:00:01+05:30 bx920as1 crond[268]: (root) CMD (2014/05/31/server2/cron/log)", "@version" => "1", "@timestamp" => "2014-07-16T06:07:21.927Z", "host" => "host", "path" => "/root/Desktop/Logstash-Input/Server2/CronLog/2014.05.31/cron_log", "server" => "Server2", "logtype" => "CronLog", "logdate" => "2014.05.31", "logfilename" => "cron" }
中央伺服器(發送日誌的地方)控制台:
{ "message" => "2014-07-16T05:33:17.073+0000 host 2014-05-26T00:00:01+05:30 bx920as1 crond[288]: (root) CMD (2014/05/31/server2/cron/log)", "@version" => "1", "@timestamp" => "2014-07-16T05:34:02.370Z" }
因此,在運輸時會丟棄 grokked 欄位。為什麼會這樣??
我怎樣才能保留這些領域?
解決了:
我通過添加
codec => "json"
到我的伐木工人輸出和輸入來解決它。輸出:
output { lumberjack { hosts => ["xx.xx.xx.xx"] port => 4545 ssl_certificate => "./logstash.pub" codec => "json" }
輸入:
input { lumberjack { port => 4545 ssl_certificate => "/etc/ssl/logstash.pub" ssl_key => "/etc/ssl/logstash.key" codec => "json" } }