elasticsearch ELK Stack-远程服务器'；日志解析和分类正确，但转储到stout而不是elasticsearch

正如（冗长的）主题所示，我的远程服务器将日志发送到logstash服务器

在此日志存储配置：

输入：

[root@tool01 conf.d]# cat 01-lumberjack-input.conf
input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

类型：

输出：

[root@tool01 conf.d]# cat 30-lumberjack-output.conf
output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

本地日志正常工作，但所有远程日志都被发送到标准输出：

[root@tool01 logstash]# tail -n 19 logstash.stdout
{
             "message" => "Nov 29 20:16:44 foreman dhcpd: DHCPACK on 192.168.50.100 to 3c:4a:92:12:1c:cb via eth0",
            "@version" => "1",
          "@timestamp" => "2014-11-29T20:16:44.000Z",
                "type" => "syslog",
                "file" => "/var/log/messages",
                "host" => "foreman.ics.dmz",
              "offset" => "3511785",
    "syslog_timestamp" => "Nov 29 20:16:44",
     "syslog_hostname" => "foreman",
      "syslog_program" => "dhcpd",
      "syslog_message" => "DHCPACK on 192.168.50.100 to 3c:4a:92:12:1c:cb via eth0",
         "received_at" => "2014-11-29 07:16:46 UTC",
       "received_from" => "foreman.ics.dmz",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
     "syslog_facility" => "user-level",
     "syslog_severity" => "notice"
}

这可能是一个愚蠢的问题，但我只在客户端服务器上安装了shipper，是否也需要在那里运行logstash

---

提前谢谢

事情比我最初预料的更令人困惑

例如，此日志：

Dec  2 10:39:12 foreman dhcpd: DHCPACK on 192.168.50.52 to 6c:ad:f8:26:b1:68 (Chromecast) via eth0

图表下的列表视图正确列出了时间，但条形图的条目是23:39:12

13个小时的延迟听起来不可思议，但13小时到第二秒听起来更像是时区问题？ 然而，所有的运行日期都与

日期
验证的日期相同。更多信息：

[root@tool01 tmp]# curl -s XGET http://192.168.50.241:9200/logstash-2014.12.03/_search?pretty=true | tail -n 15; TZ=UTC date
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "bOVXPpf9SFOKKPgx7PWfCA",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 foreman dhcpd: DHCPREQUEST for 192.168.50.251 from 00:15:5d:32:14:09 via eth0",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "foreman.ics.dmz",
    "offset": "3756888",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "foreman",
    "syslog_program": "dhcpd",
    "syslog_message": "DHCPREQUEST for 192.168.50.251 from 00:15:5d:32:14:09 via eth0",
    "received_at": "2014-12-02 11:06:31 UTC",
    "received_from": "foreman.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
},
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "5axCp7UgRxmunclFqlgKNw",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 foreman dhcpd: DHCPACK on 192.168.50.251 to 00:15:5d:32:14:09 via eth0",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "foreman.ics.dmz",
    "offset": "3756982",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "foreman",
    "syslog_program": "dhcpd",
    "syslog_message": "DHCPACK on 192.168.50.251 to 00:15:5d:32:14:09 via eth0",
    "received_at": "2014-12-02 11:06:31 UTC",
    "received_from": "foreman.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
},
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "m_MuAZPcS8ixmCn5getvyg",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 spacewalk dhclient[906]: DHCPREQUEST on eth0 to 192.168.50.240 port 67 (xid=0x421c37e1)",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "spacewalk.ics.dmz",
    "offset": "269907",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "spacewalk",
    "syslog_program": "dhclient",
    "syslog_pid": "906",
    "syslog_message": "DHCPREQUEST on eth0 to 192.168.50.240 port 67 (xid=0x421c37e1)",
    "received_at": "2014-12-02 11:06:33 UTC",
    "received_from": "spacewalk.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
}
Tue Dec  2 19:19:14 UTC 2014

因此，在写入EL之前，数据似乎已缓冲。
您的输出{}节将尝试发送到本地机器上的elasticsearch，并打印到stdout。那部分看起来不错。elasticsearch是否在本地计算机上运行？你能在本地通过telnet连接到端口（我想是9300）吗？是的，elasticsearch正在收听9200和93009300&：：：9200应该从logstash的本地实例进行插入，因此我认为它位于ipv6地址上这一事实应该无关紧要，因为本地日志被很好地馈送了，对吗？嗯。。好了，现在有点混乱。我没有改变任何事情，在发布我的问题后，我上床睡觉了。今天早上我有其他机器的数据。。。为什么会有这样一个巨大的延迟，他们出现在坚固的日志时，他们在基巴纳可用？耽搁了一个多小时？可能是由于以下原因：（/etc/sysconfig/logstash forwarder）logstash_forwarder_OPTIONS=“-config/etc/logstash forwarder-spool size 100”正常，因此它仍然不能对所有机器正常工作。类似的情况，只是这一次一两个小时后它没有出现。我在stdout日志中看到了发送的日志，但它没有出现在ES中。
[root@tool01 tmp]# curl -s XGET http://192.168.50.241:9200/logstash-2014.12.03/_search?pretty=true | tail -n 15; TZ=UTC date
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "bOVXPpf9SFOKKPgx7PWfCA",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 foreman dhcpd: DHCPREQUEST for 192.168.50.251 from 00:15:5d:32:14:09 via eth0",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "foreman.ics.dmz",
    "offset": "3756888",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "foreman",
    "syslog_program": "dhcpd",
    "syslog_message": "DHCPREQUEST for 192.168.50.251 from 00:15:5d:32:14:09 via eth0",
    "received_at": "2014-12-02 11:06:31 UTC",
    "received_from": "foreman.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
},
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "5axCp7UgRxmunclFqlgKNw",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 foreman dhcpd: DHCPACK on 192.168.50.251 to 00:15:5d:32:14:09 via eth0",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "foreman.ics.dmz",
    "offset": "3756982",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "foreman",
    "syslog_program": "dhcpd",
    "syslog_message": "DHCPACK on 192.168.50.251 to 00:15:5d:32:14:09 via eth0",
    "received_at": "2014-12-02 11:06:31 UTC",
    "received_from": "foreman.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
},
{
  "_index": "logstash-2014.12.03",
  "_type": "syslog",
  "_id": "m_MuAZPcS8ixmCn5getvyg",
  "_score": 1.0,
  "_source": {
    "message": "Dec  3 00:06:30 spacewalk dhclient[906]: DHCPREQUEST on eth0 to 192.168.50.240 port 67 (xid=0x421c37e1)",
    "@version": "1",
    "@timestamp": "2014-12-03T00:06:30.000Z",
    "type": "syslog",
    "file": "/var/log/messages",
    "host": "spacewalk.ics.dmz",
    "offset": "269907",
    "syslog_timestamp": "Dec  3 00:06:30",
    "syslog_hostname": "spacewalk",
    "syslog_program": "dhclient",
    "syslog_pid": "906",
    "syslog_message": "DHCPREQUEST on eth0 to 192.168.50.240 port 67 (xid=0x421c37e1)",
    "received_at": "2014-12-02 11:06:33 UTC",
    "received_from": "spacewalk.ics.dmz",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  }
}
Tue Dec  2 19:19:14 UTC 2014