- elasticsearch/
elasticsearch 日志未从logstash推送到elasticsearch
elasticsearch 日志未从logstash推送到elasticsearch
logstash-config.conf
input {
file {
path => ["D:/project/log/samplex.log"]
sincedb_path => "D:/Project/logstash-7.5.0/data/plugins/inputs/file/null"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.1.8:9200"]
index => "db"
#user => "elastic"
#password => "changeme"
} }
Thread.exclusive已弃用,请使用Thread::Mutex发送日志存储 日志到D:/Project/logstash-7.5.0/logs,现在通过 log4j2.properties[2019-12-16T23:26:28465][WARN ][logstash.config.source.multilocal]忽略“pipelines.yml”文件 因为指定了模块或命令行选项
[2019-12-16T23:26:28580][INFO][logstash.runner]启动logstash
{“logstash.version”=>“7.5.0”}[2019-12-16T23:26:30143][INFO ][org.reflections.reflections]反射扫描1个URL需要32毫秒, 生成20个键和40个值[2019-12-16T23:26:31024][INFO ][logstash.outputs.elasticsearch][main]elasticsearch池URL 更新的{:更改=>{:删除=>[],:添加=>[}} [2019-12-16T23:26:31201][WARN][logstash.outputs.elasticsearch][main] 已还原到ES实例的连接{:url=>“” [2019-12-16T23:26:31256][INFO][logstash.outputs.elasticsearch][main] 已确定ES输出版本{:ES_版本=>7} [2019-12-16T23:26:31264][WARN][logstash.outputs.elasticsearch][main] 检测到6.x及以上群集:
类型][main]正在启动管道{:pipeline_id=>“main”, “pipeline.workers”=>8,“pipeline.batch.size”=>125, “pipeline.batch.delay”=>50,“pipeline.max_-inflight”=>1000, “pipeline.sources”=>[“D:/Project/logstash-7.5.0/bin/logstash sample.conf”], :thread=>“#”}[2019-12-16T23:26:31506][INFO ][logstash.outputs.elasticsearch][main]正在尝试安装模板 {:manage_template=>{“index_patterns”=>“logstash-”,“version”=>60001, “设置”=>{“索引.刷新间隔”=>“5s”,“碎片数”=>1}, “映射”=>{“动态模板”=>[{“消息”字段”=>{“路径匹配”=>“消息”, “匹配映射类型”=>“字符串”,“映射”=>{“类型”=>“文本”, “norms”=>false}}},{“string_字段”=>{“匹配”=>”, “匹配映射类型”=>“字符串”,“映射”=>{“类型”=>“文本”, “规范”=>false,“字段”=>{“关键字”=>{“类型”=>“关键字”, “忽略上面的”=>256}], “属性”=>{“@timestamp”=>{“类型”=>“日期”}, “@version”=>{“type”=>“keyword”},“geoip”=>{“dynamic”=>true, “属性”=>{“ip”=>{“类型”=>“ip”}, “位置”=>{“类型”=>“地理点”},“纬度”=>{“类型”=>“半浮点数”}, “经度”=>{“类型”=>“半浮”} [2019-12-16T23:26:32041][INFO][logstash.javapipeline][main] 管道已启动{“Pipeline.id”=>“main”} [2019-12-16T23:26:32114][INFO][filewatch.observingtail][main] 开始,创建发现者,使用文件和sincedb集合监视 [2019-12-16T23:26:32118][INFO][logstash.agent]管道 正在运行{:count=>1,:正在运行_管道=>[:main], :非运行管道=>[]}[2019-12-16T23:26:32502][INFO ][logstash.agent]已成功启动logstash API 端点{:端口=>9600} 日志存储未读取提到的日志文件,且其处于空闲状态。 samplex.log [2019-12-16T22:30:59310][INFO][logstash.outputs.elasticsearch][main] Elasticsearch池URL已更新{:更改=>{:删除=>[], :added=>[}}[2019-12-16T22:30:59472][WARN ][logstash.outputs.elasticsearch][main]已恢复与ES的连接 实例{:url=>“” [2019-12-16T22:30:59558][INFO][logstash.outputs.elasticsearch][main] 已确定ES输出版本{:ES_版本=>7} [2019-12-16T22:30:59565][WARN][logstash.outputs.elasticsearch][main] 检测到6.x及以上群集:
类型在Windows中,我认为您保存的文件名是sample.log,但在内部它将被视为文本文件。因此它类似于“sample.log.txt” 所以请尝试一下
input {
file {
#type => "log"
path => "D:/Downloads/logstash-6.7.0/bin/samplex.log.txt"
sincedb_path => "D:/Downloads/logstash-6.7.0/data/plugins/inputs/file/null"
start_position => "beginning"
#ignore_older => 0
}
}
output {
stdout { codec => "rubydebug"}
elasticsearch {
hosts => "http://xx-xx-xx-xx:9200"
index => "db"
}
}
希望这对您有所帮助!!在Windows中,我认为您保存的文件名是sample.log,但在内部它将被视为文本文件。因此它类似于“sample.log.txt” 所以请尝试一下
input {
file {
#type => "log"
path => "D:/Downloads/logstash-6.7.0/bin/samplex.log.txt"
sincedb_path => "D:/Downloads/logstash-6.7.0/data/plugins/inputs/file/null"
start_position => "beginning"
#ignore_older => 0
}
}
output {
stdout { codec => "rubydebug"}
elasticsearch {
hosts => "http://xx-xx-xx-xx:9200"
index => "db"
}
}
希望这对您有所帮助。!!您还可以发布该文件中的一些示例数据吗?添加了示例日志文件data@JBone。您可以尝试将空筛选器部分添加到logstash-config.conf文件中,然后重试。您还可以添加
stdout{codec=>rubydebug}输出