ELK - Logstash + Redis - 数据复制
[英]ELK - Logstash + Redis - Data duplicating
问题描述
I need a help 
我需要帮助
I have those both Logstash config files: 我有这两个Logstash配置文件:
agent.conf agent.conf
input {
log4j {
type => "bdj"
port => 25827
}
}
filter{
json{
source => "message"
}
}
output {
stdout {
codec => rubydebug
}
redis {
host => "127.0.0.1"
data_type => "list"
key => "logstash"
}
}
The agent.conf receive the data logs by tcp e foward them to redis. agent.conf通过tcp eoward接收数据日志到redis。
central.conf central.conf
input {
redis {
host => "localhost"
type => "redis-input"
data_type => "list"
key => "logstash"
}
}
filter{
json{
source => "message"
}
}
output {
stdout { }
elasticsearch {
hosts => "localhost"
index => "logstash-%{+YYYY.MM.dd}"
}
}
The central.conf gets the redis and foward them to the elastichsarch. central.conf得到了redis并将它们转向弹性系统。
My problem is that the data are been duplicated, as a loop or something like that. 我的问题是数据被复制,作为循环或类似的东西。
I'm running logstash as a sevice on Debian; 我正在运行logstash作为Debian的服务;
root@logs:~# uname -a
Linux logs 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
Take a look at the image, the same data log, at the same time, and I just sent one log request. 同时查看图像,相同的数据日志,我只发送了一个日志请求。
Any help? 有帮助吗?
2 个解决方案
解决方案1
0 2016-12-23 21:51:17
When I find logstash doing weird things, it sometimes comes down to having two copies running or an old config file in the directory that is also being read by logstash. 当我发现logstash做了奇怪的事情时,它有时会导致运行两个副本或者在logstash中读取的目录中的旧配置文件。 This isn't every problem, but it's good to check. 这不是每个问题,但检查是好的。
解决方案2
0 2017-08-28 17:21:26
I ran into the same issue for a few days until I get what was going on : an instance of Logstash has only one pipeline processing events ! 我遇到了同样的问题几天,直到我得到了正在发生的事情:一个Logstash实例只有一个管道处理事件 ! Logstash gives the ability to split the configuration into different files for readability but at the end they are all merged together into a single one configuration. Logstash提供了将配置拆分为不同文件以便于阅读的功能,但最后它们全部合并为一个配置。
In this case, after loading central.conf and agent.conf your Logstash instance pipeline has two inputs (log4j and redis), one filter (which should be defined only once to avoid duplication) and two outputs (redis and elasticsearch). 在这种情况下,在加载central.conf和agent.conf之后,Logstash实例管道有两个输入(log4j和redis),一个过滤器(应该只定义一次以避免重复)和两个输出(redis和elasticsearch)。 Events came from the two inputs, are processed through your filter and then pushed to the two outputs. 事件来自两个输入,通过过滤器处理,然后推送到两个输出。
After an event coming from your log4j input has been pushed to the redis output, it is processed again from the redis input to the redis output. 来自log4j输入的事件被推送到redis输出后,再次从redis输入处理到redis输出。 Here is your infinite loop. 这是你的无限循环。
The solution is to "tag" your events to selectively apply filters and outputs later on in the event's lifetime. 解决方案是“标记”您的事件,以便在事件的生命周期中选择性地应用过滤器和输出。 All inputs plugins have a common option type which can be used for this. 所有输入插件都有一个通用选项类型 ,可用于此目的。 But as it is said in the documentation the type of an event is immutable, so you should not be able to change it once it is set. 但正如在文档中所说的那样,事件的类型是不可变的,所以一旦设置它就不能改变它。 I would rather use the @metadata field in this context, see below. 我宁愿在这种情况下使用@metadata字段,见下文。
agent.conf agent.conf
input {
log4j {
type => "bdj"
port => 25827
add_field => {
"[@metadata][event_origin]" => "log4j"
}
}
}
filter {
if [@metadata][event_origin] == "log4j" {
json {
source => "message"
}
}
}
output {
if [@metadata][event_origin] == "log4j" {
redis {
host => "127.0.0.1"
data_type => "list"
key => "logstash"
}
}
}
central.conf central.conf
input {
redis {
host => "localhost"
data_type => "list"
key => "logstash"
add_field => {
"[@metadata][event_origin]" => "redis"
}
}
}
output {
if [@metadata][event_origin] == "redis" {
elasticsearch {
hosts => "localhost"
index => "logstash-%{+YYYY.MM.dd}"
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.