FileBeat收集问题
[英]FileBeat harvesting issues
问题描述
We are using ELK for controlling our program logs. 
我们正在使用ELK来控制程序日志。 In our FileBeat config we are harvesting from 30 different paths which contains files that updates every second (it updates every second only in the prod's machines - in the other Dev machines we have significantly less logs). 在我们的FileBeat配置中,我们从30个不同的路径中收获, 这些路径包含每秒更新的文件(它仅在prod的机器中每秒更新一次-在其他Dev机器中,日志大大减少)。 Our log files not get deleted until they getting old and we stop using them (also we don't modify there names) . 我们的日志文件不会变旧,直到它们变旧为止,我们将停止使用它们(我们也不会在此处修改名称)。 Lately we found out that the logs from last paths in the configuration file (.yml) from the prod machines is never appearing in the Kibana. 最近,我们发现,来自Prod 机器的配置文件(.yml)中来自最后路径的日志从未出现在Kibana中。
After investigation, we realized that FileBeat stuck on the files is the first's path's and never seem to reach the last one's. 经过调查,我们意识到卡在文件上的FileBeat是第一个路径,似乎从未到达最后一个路径。 When I replace the location of the last two paths to the beginning, FileBeat started to register all the logs there and later on harvest them. 当我将最后两个路径的位置替换为开头时,FileBeat开始在此处注册所有日志,并在以后收集它们。
I looked up in the documentation on the FileBeat configuration and I saw the close* options close_option_config which seem like a good idea. 我查阅了有关FileBeat配置的文档,并且看到了close *选项close_option_config似乎是个好主意。 But I didn't managed to get it right yet and I don't sure what is the recommended time for the scan_frequency option (that for now is default of 10s) and what would serve me in the best way. 但是我还没有设法弄清楚它,我不确定scan_frequency选项的建议时间是多少(目前默认为10s),什么会以最佳方式为我服务。
I tried to change the close_timeout to 15s and the scan_frequency to 2m 我试图将close_timeout更改为15s,将scan_frequency更改为2m
close_timeout: 15s
scan_frequency: 2m
I would like to here some opinion what can I do to get solve this problem? 我想在这里发表一些意见,我应该怎么做才能解决这个问题? I put the config here to have some reference and to see if I missed something else. 我把配置放在这里有一些参考,看看是否错过了其他东西。
my filebeat.yml: (before changes) 我的filebeat.yml :(更改之前)
filebeat:
# List of prospectors to fetch data.
prospectors:
# Each - is a prospector. Below are the prospector specific configurations
-
paths:
- D:\logs\*\path1\a_*_Pri_app.log.txt
input_type: log
document_type: type1
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\path2\b_*_Paths_app.log.txt
input_type: log
document_type: type2
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\path3\c_*_R_app.log.txt
input_type: log
document_type: path3
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\path4\d_*_d_app.log.txt
- C:\logs\*\path4\d_*_d_app.log.txt
input_type: log
document_type: path4
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
.....same as the above .....与以上相同
paths:
- D:\logs\*\path27\S.Coordinator_Z.*.log*
- C:\logs\*\path27\S.Coordinator_Z*.log*
input_type: log
document_type: path27
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\path28\d_*_Tr_app.log.txt
- C:\logs\*\path28\d_*_Tr_app.log.txt
input_type: log
document_type: path28
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\R1_Output\R*\pid_*_rr_*
input_type: log
document_type: path29
multiline.pattern: '<\?xml version="1\.0" encoding="UTF-8"\?>'
multiline.negate: true
multiline.match: after
-
paths:
- D:\logs\*\R2_Output\R*\pid_*_rr_*
input_type: log
document_type: path30
multiline.pattern: '<\?xml version="1\.0" encoding="UTF-8"\?>'
multiline.negate: true
multiline.match: after
registry_file: "C:/ProgramData/filebeat/registry"
1 个解决方案
解决方案1
1 已采纳 2017-11-23 15:48:04
After a long investigation when i tried to find a similar problem to what i had with a solution , and after trying my luck in the dicuss elastic forum. 经过长时间的调查,当我试图找到与解决方案相似的问题时,又在dicuss弹性论坛中尝试了运气。 I managed to solve this issue. 我设法解决了这个问题。
Since I didn't see this option in the web i am putting it here. 由于我没有在网络上看到此选项,因此将其放在此处。
Filebeat harvesting system apparently has it limit when it comes with dealing with a big scale number of open files in the same time. 当同时处理大量打开的文件时,Filebeat收集系统显然具有局限性。 (a known problem and elastic team also provides bunch of config options to help dealing this issue and costume ELK to your need, eg config_options ). (一个已知的问题和弹性团队还提供了许多配置选项来帮助解决此问题并根据您的需要打扮 ELK,例如config_options )。 I managed to solve my problem with opening 2 more Filebeat services which i configures their prospectors in the following way(an example of A same goes to B): 我设法通过再打开2个Filebeat服务来解决我的问题,该服务通过以下方式配置其探矿者(A的示例与B相同):
paths:
- D:\logs\*\pid_*_rr_*
input_type: log
document_type: A
multiline.pattern: '<\?xml version="1\.0" encoding="UTF-8"\?>'
multiline.negate: true
multiline.match: after
close_eof: true
In this way, because the services working interdependently Filebeat keep trying to operate them (and not "stuck" on the first prospectors). 这样,由于Filebeat相互依赖地工作,因此它们一直试图操作它们(而不是“卡在”第一个探矿者上)。
I manage in this way to double my harvesting abilities. 我以这种方式设法使我的收割能力加倍。
posing up the discussion in Elastic website: the discussion 构成Elastic网站中的讨论 : 讨论
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.