elasticsearch,logstash,Java,Linux,elasticsearch,Logstash" /> elasticsearch,logstash,Java,Linux,elasticsearch,Logstash" />
Fatal编程技术网
  • java/
  • Java logstash org.elasticsearch.discovery.MasterNotDiscoveredException错误

Java logstash org.elasticsearch.discovery.MasterNotDiscoveredException错误

java linux logstash

Java logstash org.elasticsearch.discovery.MasterNotDiscoveredException错误,java,linux,elasticsearch,logstash,Java,Linux,elasticsearch,Logstash,我已经安装了带有ElasticsSearch-0.20.6的logstash 1.1.13,下面是logstash.conf的配置 input { tcp { port => 524 type => rsyslog } udp { port => 524 type => rsyslog } } filter { grok { type => "rsyslog" pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOG

我已经安装了带有ElasticsSearch-0.20.6的logstash 1.1.13,下面是logstash.conf的配置

input {
tcp {
port => 524
type => rsyslog
}
udp {
port => 524
type => rsyslog
}
}
filter {
grok {
type => "rsyslog"
pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{@source_host}" ]
}
syslog_pri {
type => "rsyslog"
}
date {
type => "rsyslog"
syslog_timestamp => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {
type => "rsyslog"
exclude_tags => "_grokparsefailure"
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
type => "rsyslog"
remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}

output {
elasticsearch {
 host => "127.0.0.1"
 port => 9300
 node_name => "sysloG33r-1"
 bind_host => "localhost"
 }
}
用命令启动了logstash

    [root@clane elasticsearch]# java -jar /usr/local/bin/logstash/bin/logstash.jar agent -f /etc/logstash/logstash.conf
Using experimental plugin 'syslog_pri'. This plugin is untested and may change in the future. For more information about plugin statuses, see http://logstash.net/docs/1.1.13/plugin-status  {:level=>:warn}
date: You used a deprecated setting 'syslog_timestamp => ["MMM d HH:mm:ss", "MMM dd HH:mm:ss"]'. You should use 'match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]' {:level=>:warn}
PORT SETTINGS 127.0.0.1:9300
log4j, [2013-06-21T14:40:08.013]  WARN: org.elasticsearch.discovery: [sysloG33r-1] waited for 30s and no initial state was set by the discovery
Failed to index an event, will retry {:exception=>org.elasticsearch.discovery.MasterNotDiscoveredException: waited for [1m], :event=>{"@source"=>"tcp://10.66.59.35:34662/", "@tags"=>[], "@fields"=>{"syslog_pri"=>["78"], "syslog_program"=>["crond"], "syslog_pid"=>["6511"], "received_at"=>["2013-06-21T13:40:01.845Z"], "received_from"=>["10.66.59.35"], "syslog_severity_code"=>6, "syslog_facility_code"=>9, "syslog_facility"=>"clock", "syslog_severity"=>"informational"}, "@timestamp"=>"2013-06-21T12:40:01.000Z", "@source_host"=>"kent", "@source_path"=>"/", "@message"=>"(root) CMD (/opt/bin/firewall-state.sh)", "@type"=>"rsyslog"}, :level=>:warn}
和弹性搜索

/usr/local/bin/elasticsearch start
我可以看到elasticsearch(92009300)和logstash(524)的所有正确java端口

但是我在logstash上看到了这个错误,有什么想法吗

Failed to index an event, will retry {:exception=>org.elasticsearch.discovery.MasterNotDiscoveredException: waited for [1m], :event=>{"@source"=>"tcp://10.66.59.35:33598/", "@tags"=>[], "@fields"=>{"syslog_pri"=>["78"], "syslog_program"=>["crond"], "syslog_pid"=>["12983"], "received_at"=>["2013-06-21T12:07:01.541Z"], "received_from"=>["10.66.59.35"], "syslog_severity_code"=>6, "syslog_facility_code"=>9, "syslog_facility"=>"clock", "syslog_severity"=>"informational"}, "@timestamp"=>"2013-06-21T11:07:01.000Z", "@source_host"=>"kent", "@source_path"=>"/", "@message"=>"(root) CMD (/opt/bin/firewall-state.sh)", "@type"=>"rsyslog"}, :level=>:warn}
我假设您已经检查了一些明显的问题,比如“ElasticSearch正在运行吗?”和“我可以打开到localhost上端口9300的TCP连接吗?”

尽管您在
elasticsearch
输出中使用了
host
参数,但可能发生的情况是,Logstash中的elasticsearch客户端正在尝试通过多播发现集群成员(这是默认情况下新安装的典型配置方式),并且失败了。这在EC2以及防火墙配置可能干扰多播发现的许多其他环境中很常见。如果这是群集中的唯一成员,则在
elasticsearch.yml中设置以下内容应该可以做到:


discovery:
  zen:
    ping:
      multicast:
        enabled: false
      unicast:
        hosts: <your_ip>[9300-9400]



发现:
禅宗:
发出砰的声响:
多播:
已启用:false
单播:
主持人:[9300-9400]


在AWS上,还有一个EC2发现插件,它将为您清除这些错误


顺便说一句,这个问题实际上属于服务器故障,而不是堆栈溢出。
我有一个类似的问题,它来自我的ip配置。简而言之,检查日志存储主机上是否只有一个ip地址。如果没有,它可能会选择错误的一个


在这里发布了相同的答案:
我遇到了同样的问题,并通过在logstash的elasticsearch配置中添加集群选项进行了修复。由于您在elasticsearch.yml中修改了集群名称,因此logstash客户端将无法使用默认值找到集群


也尝试这样做
不确定我是否遗漏了什么-ES公开HTTP端点,但您的映射似乎在92009300使用TCP?您能让logstash配置转到默认的ES端口吗?我有一个与您非常相似的配置,并且我没有显式地分配端口。我对我的elasticsearch.yml文件做了以下更改:
discovery.zen.ping.multicast.enabled:false discovery.zen.ping.unicast.hosts:[“127.0.0.1”
,但我继续看到以下消息:
线程中的异常“elasticsearch[Proudstar,John][generic][t#5]”org.elasticsearch.discovery.MasterNotDiscoveredException:waiting waiting[30s]
我想在尝试创建稳定的日志存储实例时清除警告和错误。我应该关注这些警告吗?我能把它们清理干净吗?

Failed to index an event, will retry {:exception=>org.elasticsearch.discovery.MasterNotDiscoveredException: waited for [1m], :event=>{"@source"=>"tcp://10.66.59.35:33598/", "@tags"=>[], "@fields"=>{"syslog_pri"=>["78"], "syslog_program"=>["crond"], "syslog_pid"=>["12983"], "received_at"=>["2013-06-21T12:07:01.541Z"], "received_from"=>["10.66.59.35"], "syslog_severity_code"=>6, "syslog_facility_code"=>9, "syslog_facility"=>"clock", "syslog_severity"=>"informational"}, "@timestamp"=>"2013-06-21T11:07:01.000Z", "@source_host"=>"kent", "@source_path"=>"/", "@message"=>"(root) CMD (/opt/bin/firewall-state.sh)", "@type"=>"rsyslog"}, :level=>:warn}



discovery:
  zen:
    ping:
      multicast:
        enabled: false
      unicast:
        hosts: <your_ip>[9300-9400]