我已经设置 Filebeat 通过使用 5044 端口(与 logstash 相同)在 Graylog 中配置 Beats 输入来将日志发送到 Graylog。我成功收到了 Graylog 中的日志。但是,如果在 3 次重试后日志文件没有更改,则 filebeat 会死掉,我必须手动启动才能继续收割。
这是 Filebeat 死前的日志(这个片段总共出现了 3 次):
2019-04-18T17:09:54.324-0700 DEBUG [input] input/input.go:152 Run input
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:174 Start next scan
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:404 Check file for harvesting: /app/logs/A/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:494 Update existing file for harvesting: /app/logs/A/api.log, offset: 2922198
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:548 File didn't change: /app/logs/A/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:404 Check file for harvesting: /app/logs/B/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:494 Update existing file for harvesting: /app/logs/B/api.log, offset: 28149
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:548 File didn't change: /app/logs/B/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:404 Check file for harvesting: /app/logs/C/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:494 Update existing file for harvesting: /app/logs/C/api.log, offset: 37930655
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:546 Harvester for file is still running: /app/logs/C/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:404 Check file for harvesting: /app/logs/D/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:494 Update existing file for harvesting: /app/logs/D/api.log, offset: 173342
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:548 File didn't change: /app/logs/D/api.log
2019-04-18T17:09:54.324-0700 DEBUG [input] log/input.go:195 input states cleaned up. Before: 4, After: 4, Pending: 0
在 filebeat.yml 中,这是端口 5044 中进程的配置。我在 filebeat.yml 中将 max_retries:3 更改为 -1(无限),如下所示:
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["log1.cgi-dev.ca:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities:
# Certificate for SSL client authentication
#ssl.certificate:
# Client Certificate Key
#ssl.key:
# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
# and retry until all events are published. Set max_retries to a value less
# than 0 to retry until all events are published. The default is 3.
max_retries: -1
正如我所提到的,我在 Graylog 中成功地从 filebeat 获取日志,但是当日志文件一段时间没有更改时,filebeat 进程就会死亡。导致 Filebeat 死机的罪魁祸首是什么?
谢谢