首先我为我的英语道歉。
我是一家公司的实习生,我用 Filebeat 提出了一个解决方案 ELK 来发送日志。
问题是一旦恢复 syslog_pri 总是显示 Notice 和 severity_code 5
这是我的配置:
Logstash 输入:
input {
beats {
port => 5044
type => "logs"
#ssl => true
#ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
#ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
我的过滤器:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri {
syslog_pri_field_name => "syslog_pri"
}
geoip {
source => "ip"
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
我收到这样的日志:
{
"_index": "logstash-2016.01.27",
"_type": "log",
"_id": "AVKDkbeIo9FUMGLWSx1L",
"_score": null,
"_source": {
"message": "2016-01-27T15:52:20.979+0100 WARN [HeartbeatService RUNNING] collector.heartbeat.HeartbeatService - Unable to send heartbeat to Graylog server: ConnectException: Connection refused",
"@version": "1",
"@timestamp": "2016-01-27T14:52:21.896Z",
"beat": {
"hostname": "LABSRVITT003",
"name": "LABSRVITT003"
},
"count": 1,
"fields": null,
"input_type": "log",
"offset": 28494893,
"source": "/var/log/graylog-collector/collector.log",
"type": "log",
"host": "LABSRVITT003",
"tags": [
"gpf_relp"
],
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice"
},
"fields": {
"@timestamp": [
1453906341896
]
},
"sort": [
1453906341896
]
}
我发布这个是因为我真的缺乏我浏览文档的想法,但我什么也没找到。
这个链接:
[ https://serverfault.com/questions/735230/why-cant-the-logstash-syslog-pri-filter-see-the-priority-in-syslog-messages] 这个人有同样的问题,他成功了。
因此,如果有人有想法,请分享。
谢谢