1

I am quite new to logstash but I've been spending quite some time in trying to get this right with no success. I am sending my logs from multiple applications on different server via udp to be logged. Here's the logstash configuration:

input{
  udp{
    port => 5960
    type => "log4net"
  }
}
filter {
  grok {
    match => ["message", "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp}\s*%{WORD:System}\s*%{LOGLEVEL:logLevel}\s*-\s*%{WORD:logger}\s*-\s*%{NOTSPACE:source}\s*%{NOTSPACE:action}\s*%{UUID:transactionId}\s*%{GREEDYDATA:message}"]
  }
}
output {
  elasticsearch {
    protocol => "http"
    host => "[mylocalip]"
    port => "9200"
   }
  stdout { codec => rubydebug }
}

Unfortunately no message is logged. I checked and made sure that the port is available when I start logstash. I also configured properly the firewall to allow udp message via this port. When I tcpdump I can see the udp messages arriving. Additionally I tried another method of input (logs from nginx) and it works ok. What am I doing wrong?
ElasticSearch version-1.4
Logstash version - 1.5 (initially tried also with 1.4)
OS - CentOs 6.5
Java - OpenJDK Runtime Environment (rhel-2.5.5.1.el6_6-x86_64 u79-b14)

4

2 回答 2

0

您很可能错过了发件人的路线。如果是这种情况,会发生什么:

  1. 您收到发送到您的 logstash IP/端口的数据包。
  2. 您可以在 tcpdump 中看到它,因为它是网络层。
  3. 然后内核尝试到达发送者(即使是 UDP)。
  4. 如果没有路由,它会失败,因此会丢弃 UDP 数据包,而您在应用程序级别看不到它。
于 2016-04-05T08:18:52.743 回答
0
  1. 检查 logstash 日志以查看它在哪个主机上打开端口。默认值为 0.0.0.0。不会达到的。在 udp 定义中添加“host”参数。
  2. 使用端口检查工具(如Windows 上的qryport)检查端口是否被实际监听。
于 2017-04-19T18:20:59.617 回答