0

我已经设置 Filebeat 通过使用 5044 端口(与 logstash 相同)在 Graylog 中配置 Beats 输入来将日志发送到 Graylog。我成功收到了 Graylog 中的日志。但是,如果在 3 次重试后日志文件没有更改,则 filebeat 会死掉,我必须手动启动才能继续收割。

这是 Filebeat 死前的日志(这个片段总共出现了 3 次):

2019-04-18T17:09:54.324-0700    DEBUG   [input] input/input.go:152      Run input
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:174        Start next scan
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:404        Check file for harvesting: /app/logs/A/api.log
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:494        Update existing file for harvesting: /app/logs/A/api.log, offset: 2922198
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:548        File didn't change: /app/logs/A/api.log

2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:404        Check file for harvesting: /app/logs/B/api.log
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:494        Update existing file for harvesting: /app/logs/B/api.log, offset: 28149
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:548        File didn't change: /app/logs/B/api.log

2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:404        Check file for harvesting: /app/logs/C/api.log
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:494        Update existing file for harvesting: /app/logs/C/api.log, offset: 37930655
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:546        Harvester for file is still running: /app/logs/C/api.log

2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:404        Check file for harvesting: /app/logs/D/api.log
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:494        Update existing file for harvesting: /app/logs/D/api.log, offset: 173342
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:548        File didn't change: /app/logs/D/api.log
2019-04-18T17:09:54.324-0700    DEBUG   [input] log/input.go:195        input states cleaned up. Before: 4, After: 4, Pending: 0

在 filebeat.yml 中,这是端口 5044 中进程的配置。我在 filebeat.yml 中将 max_retries:3 更改为 -1(无限),如下所示:

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["log1.cgi-dev.ca:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: 

  # Certificate for SSL client authentication
  #ssl.certificate: 

  # Client Certificate Key
  #ssl.key: 

  # The number of times to retry publishing an event after a publishing failure.
  # After the specified number of retries, the events are typically dropped.
  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
  # and retry until all events are published.  Set max_retries to a value less
  # than 0 to retry until all events are published. The default is 3.
  max_retries: -1

正如我所提到的,我在 Graylog 中成功地从 filebeat 获取日志,但是当日志文件一段时间没有更改时,filebeat 进程就会死亡。导致 Filebeat 死机的罪魁祸首是什么?

谢谢

4

0 回答 0