Logstash 日志正在忽略配置文件中的输入部分
我有一个通过HTTP和TCP捕获日志的简单设置。 我在Logstash 日志正在忽略配置文件中的输入部分,logstash,elastic-stack,logstash-configuration,Logstash,Elastic Stack,Logstash Configuration,我有一个通过HTTP和TCP捕获日志的简单设置。 我在/etc/logstash/conf.d/(见下文)创建了2个conf文件,但通过HTTP发送的日志也通过TCP管道传递,反之亦然。例如,当我通过TCP发送日志时,它会在http logger-*索引和TCP logger-*中结束。。这对我来说毫无意义:( http_logger.conf input { http { port => 9884 } } filter { grok { match =
/etc/logstash/conf.d/http logger-*TCP logger-*input {
http {
port => 9884
}
}
filter {
grok {
match => ["[headers][request_path]", "\/(?<component>[\w-]*)(?:\/)?(?<env>[\w-]*)(?:\/)?"]
}
}
output {
amazon_es {
hosts => ['XXXXX']
region => 'us-west-2'
aws_access_key_id => 'XXXXX'
aws_secret_access_key => 'XXXXX'
index => 'http-logger-%{+YYYY.MM.dd}'
}
stdout { codec => rubydebug }
}
input {
tcp {
port => 9885
codec => json
}
}
filter {
}
output {
amazon_es {
hosts => ['XXXXX']
region => 'us-west-2'
aws_access_key_id => 'XXXXX'
aws_secret_access_key => 'XXXXX'
index => 'tcp-logger-%{+YYYY.MM.dd}'
}
stdout { codec => rubydebug }
}
谢谢输入、筛选和输出配置,即使在不同的文件中拆分,日志存储在处理时也会将其作为单个大配置进行处理,就像在单个文件中指定了所有输入、筛选和输出一样 所以说,进入logstash的事件将通过所有配置的输出和过滤插件,在您的情况下,TCP和HTTP输入插件拾取的每个事件都将通过在HTTP_logger.conf和TCP_logger.conf中配置的过滤插件和输出插件,这就是您在
ht中看到隐藏事件的原因tp记录器-*tcp记录器-*tcphttp@Ram提供的解释是正确的,但是有一种更干净的方法来解决这个问题:enter 默认情况下,它如下所示:
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: httplogger
path.config: "/etc/logstash/conf.d/http_logger.conf"
- pipeline.id: tcplogger
path.config: "/etc/logstash/conf.d/tcp_logger.conf"
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: httplogger
path.config: "/etc/logstash/conf.d/http_logger.conf"
- pipeline.id: tcplogger
path.config: "/etc/logstash/conf.d/tcp_logger.conf"