Logstash 来自某些lambda函数的日志没有通过
我正在使用Logstash输入将日志从CloudWatch流式传输到Elasticsearch 我有以下配置Logstash 来自某些lambda函数的日志没有通过,logstash,amazon-cloudwatch,amazon-cloudwatchlogs,Logstash,Amazon Cloudwatch,Amazon Cloudwatchlogs,我正在使用Logstash输入将日志从CloudWatch流式传输到Elasticsearch 我有以下配置 input { cloudwatch_logs { log_group => ["/aws/lambda/a","/aws/lambda/b","/aws/lambda/c","/aws/lambda/d","/aws/lambda/e","/aws
input {
cloudwatch_logs {
log_group => ["/aws/lambda/a","/aws/lambda/b","/aws/lambda/c","/aws/lambda/d","/aws/lambda/e","/aws/lambda/f"]
start_position => "end"
access_key_id => "<access_key>"
secret_access_key => "<secret_access_key>"
region => "eu-west-2"
tags => ["cloudwatch_syslog"]
}
}
filter {
if "cloudwatch_syslog" in [tags] {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => ["%{TIMESTAMP_ISO8601:timestampcw} > %{GREEDYDATA:message}","%{TIMESTAMP_ISO8601:timestampcw} %{GREEDYDATA:message}","%{GREEDYDATA:message}"] }
overwrite => ["message"]
remove_field => ["cloudwatch_logs","timestampcw"]
}
json {
skip_on_invalid_json => true
source => "message"
target => "data"
remove_field => ["message"]
}
if [data][type] != "report" {
drop { }
}
else {
mutate {
replace => { "app" => "my-app" }
}
}
}
}
output {
if ![data] {
elasticsearch {
hosts => "<host>"
user => "<un>"
password => "<pass>"
ilm_rollover_alias => "log_raw"
ilm_pattern => "000001"
ilm_policy => "log_raw"
}
}
else {
elasticsearch {
hosts => "<host>"
user => "<un>"
password => "<pass>"
ilm_rollover_alias => "log"
ilm_pattern => "000001"
ilm_policy => "log"
}
}
}
输入{
云观察日志{
log_group=>[“/aws/lambda/a”、“/aws/lambda/b”、“/aws/lambda/c”、“/aws/lambda/d”、“/aws/lambda/e”、“/aws/lambda/f”]
开始位置=>“结束”
访问密钥id=>“”
机密访问密钥=>“”
地区=>“欧盟西部-2”
标签=>[“cloudwatch\u syslog”]
}
}
滤器{
如果[标签]中有“cloudwatch_syslog”{
格罗克{
patterns\u dir=>[“/etc/logstash/patterns”]
match=>{“message”=>[“%{TIMESTAMP_ISO8601:timestampcw}>%{greedydydata:message}”,“%{TIMESTAMP_ISO8601:timestampcw}%{GREEDYDATA:message}”,“%{GREEDYDATA:message}”
覆盖=>[“消息”]
remove_field=>[“cloudwatch_日志”,“timestampcw”]
}
json{
跳过\u上的\u无效\u json=>true
source=>“消息”
目标=>“数据”
删除_字段=>[“消息”]
}
如果[数据][类型]!=“报告”{
删除{}
}
否则{
变异{
替换=>{“应用程序”=>“我的应用程序”}
}
}
}
}
输出{
如果![数据]{
弹性搜索{
主机=>“”
用户=>“”
密码=>“”
ilm\u滚动\u别名=>“日志\u原始”
ilm_模式=>“000001”
ilm_策略=>“日志_原始”
}
}
否则{
弹性搜索{
主机=>“”
用户=>“”
密码=>“”
ilm\u滚动\u别名=>“日志”
ilm_模式=>“000001”
ilm_策略=>“日志”
}
}
}
我可以看到lambda a、b、c和d中的日志,但在Kibana中看不到lambda e和f中的日志。我也尝试过删除sincedb文件,但即使在删除之后,也看不到日志。lambda e和f是昨天添加到配置中的,而其他人已经添加了很长一段时间了你检查过logstash和Elasticsearch的日志了吗?我检查过logstash日志。没有错误