堆栈内存溢出
  简体   繁体   English

logstash 从两个索引上的 filebeat 写入日志

[英]logstash write log from filebeat on two indexes

 原文  2023-01-31 17:18:51       json/ logstash/ filebeat/ elk

问题描述

I installed the elk stack on a server, and on another server I installed filebeat to send syslog on filebeats-[data] indexes and it works fine.我在服务器上安装了 elk 堆栈,在另一台服务器上安装了 filebeat 以在 filebeats-[data] 索引上发送 syslog,它工作正常。 Now, on the elk server I configured another input in logstash to send a json file on json_data indexes and it work fine but now I find the filebeat log on both indexes and I don't understand why.现在,在 elk 服务器上,我在 logstash 中配置了另一个输入,以在 json_data 索引上发送一个 json 文件,它工作正常,但现在我在两个索引上都找到了 filebeat 日志,但我不明白为什么。 I want the filebeat log only on filebeat-[data] index and not on json_data index.我只希望 filebeat 日志记录在 filebeat-[data] 索引上,而不是在 json_data 索引上。 Where do I wrong?我哪里错了?

This is my logstash conf file这是我的 logstash conf 文件

input {
  file {
    path => "/home/centos/json/test.json"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
filter {
  json {
    source => "message"
  }
}
output {
  elasticsearch {
    hosts => "http://10.xxx.xxx.xxx:9200"
    index => "json_data"
  }
}

input {
  beats {
    port => 5044
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
output {
  elasticsearch {
    hosts => "http://10.xxx.xxx.xxx:9200"
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

I tried different configuration, I tried also to delete the json.conf and in this case filebeat write only on the filebeat-[data] index我尝试了不同的配置,我也尝试删除 json.conf,在这种情况下,filebeat 只写在 filebeat-[data] 索引上

1 个解决方案

解决方案1
 0  2023-02-03 15:08:35

For the logs coming from filebeat to logstash, you can set the index name in filebeat configuration.对于从 filebeat 到 logstash 的日志,你可以在 filebeat 配置中设置索引名称。 In this case, logstash will not populate or manipulate the index name, ofcourse you need to remove the index part from logstash's filebeat config as well.在这种情况下,logstash 不会填充或操作索引名称,当然您还需要从 logstash 的 filebeat 配置中删除索引部分。

For json_file, keep the config as is, no need to change anything there.对于 json_file,保持配置不变,无需更改任何内容。

To set custom index name in filebeat, you can refer: https://www.elastic.co/guide/en/beats/filebeat/current/change-index-name.html在filebeat中设置自定义索引名称,可以参考: https://www.elastic.co/guide/en/beats/filebeat/current/change-index-name.html

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Json文件从Filebeat到Logstash,然后到elasticsearch - Json file from filebeat to Logstash and then to elasticsearch 从日志 Logstash 中提取 JSON - Extract JSON from a log Logstash filebeat/logstash 将 json 转换为 csv 格式 - filebeat/logstash convert json to csv format Filebeat 和 LogStash — 多种不同格式的数据 - Filebeat and LogStash — data in multiple different formats 将log4js中的JSON发送到logstash和字段 - Send JSON from log4js to logstash and fields Logstash:将日志文件中的复杂多行JSON解析为ElasticSearch - Logstash: Parse Complicated Multiline JSON from log file into ElasticSearch 如何使用filebeat读取json文件并通过logstash将其发送到elasticsearch - How to read json file using filebeat and send it to elasticsearch via logstash 以 JSON 格式登录到 cloudfoundry logstash - Log in JSON format to cloudfoundry logstash 使用 logstash 解析多行 json 日志 - Parse multiline json log with logstash Filebeat - 仅在第一次输入日志文件时缺少打开“{”? - Filebeat - Missing opening “{” on first entry of log file only?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM