1. 首頁
  2. 問答
  3. Logstash「無法加載配置無效」

Logstash「無法加載配置無效」

2017-05-04 137 views
0

我想配置logstash以下輸入 - nginx的訪問,nginx的錯誤以下的自定義模式下面& &日誌是logstash.confLogstash「無法加載配置無效」

input { 
    beats { 
    port => 5044 

codec => multiline { 
     # Grok pattern names are valid! :) 
     pattern => "^%{TIMESTAMP_ISO8601} " 
     negate => true 
     what => previous 
    } 
    } 
} 

filter { 

if [type] == "nginx-access" { 
     grok { 
     match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"] 
     overwrite => [ "message" ] 
     } 

     mutate { 
       convert => ["response", "integer"] 
       convert => ["bytes", "integer"] 
       convert => ["responsetime", "float"] 
     } 

     geoip { 
       source => "clientip" 
       target => "geoip" 
       add_tag => [ "nginx-geoip" ] 
     } 

     date { 
       match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ] 
       remove_field => [ "timestamp" ] 
     } 

     useragent { 
       source => "agent" 
     } 

} else if [type] == "nginx-error" { 
     grok { 
     match => [ "message" , "(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")"] 
     overwrite => [ "message" ] 
     } 

geoip { 
       source => "client" 
       target => "geoip" 
       add_tag => [ "nginx-geoip" ] 
     } 

     date { 
       match => [ "timestamp" , "YYYY/MM/dd HH:mm:ss" ] 
       remove_field => [ "timestamp" ] 
     } 

} else { 

    mutate { 
    gsub => ["message", "\n", " "] 
    } 
    grok { 
    match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} \[%{NOTSPACE:uid}\] \[%{NOTSPACE:thread}\] %{LOGLEVEL:loglevel} %{DATA:class}\-%{GREEDYDATA:message}" ] 
    overwrite => [ "message" ] 
    } 
    date { 
    match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss" ] 
    target => "@timestamp" 
    } 
    if "_grokparsefailure" in [tags] { 
      drop { } 
    } 
} 
} 

output { 

stdout { codec => rubydebug } 
if [type] == "nginx-access" { 
    elasticsearch { hosts => localhost } 
    index => "nginx-access-%{+YYYY.MM.dd}" 
} else if [type] == "nginx-error" { 
    elasticsearch { hosts => localhost } 
    index => "nginx-error-%{+YYYY.MM.dd}" 
} else { 
    elasticsearch { hosts => localhost } 
} 

}

但在運行它,我得到以下錯誤

ERROR logstash.agent - Cannot load an invalid configuration {:reason=>"Expected one of #, { 
at line 84, column 9 (byte 1883) after output {\n \nstdout { codec => rubydebug }\nif [type] == 
\"nginx-access\" {\n elasticsearch { hosts => localhost }\n index "}

我不知道錯誤是什麼。有人能幫我弄明白嗎?

而且我試圖運行hexdump都&似乎罰款,有沒有亂碼

來源

2017-05-04 Aarish Ramesh

回答

0

正確的答案是有「索引」內彈性搜索塊如下

output { 

stdout { codec => rubydebug } 
if [type] == "nginx-access" { 
    elasticsearch { hosts => localhost 
    index => "nginx-access-%{+YYYY.MM.dd}" 
    } 
} else if [type] == "nginx-error" { 
    elasticsearch { 
     hosts => localhost 
     index => "nginx-error-%{+YYYY.MM.dd}" 
    } 

} else { 
    elasticsearch { 
     hosts => localhost 
    } 
} 
}

來源

2017-05-04 11:25:18

1

我想你忘記了「」把本地主機

elasticsearch { 
    hosts => ["localhost"] 
    index => "%{tempIndex}-%{+xxxx.ww}" 
    document_type => "%{[@metadata][type]}" 
}

來源

2017-05-04 08:35:47

相關問題

 相關問題