1

我正在使用 Logstash 读取日志文件。以下是文件:

配置文件:

input { 
file{
    path => "/home/cdot/Desktop/auth_log"
    start_position => beginning
}
}

filter{
grok{

match => ["message", "%{TIMESTAMP_ISO8601: timestamp} %{HOSTNAME: server-name} %{WORD: action}: %{WORD: machine}(%{GREEDYDATA: command}):%{GREEDYDATA:logline}"]
}
}

output {
    elasticsearch { host => localhost }
    stdout { codec => rubydebug }
}

输出:

Using milestone 2 input plugin 'file'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.4.1/plugin-milestones {:level=>:warn}

我没有得到任何输出。我的日志文件具有以下形式的行:

2014-05-09T04:02:08+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session closed for user cyrus

请帮忙。

编辑:

添加行后

start_position => beginning
    sincedb_path => "/dev/null"

输入我得到以下输出:

{
       "message" => "2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.773Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
       "logline" => " session opened for user cyrus by (uid=0)"
}
{
       "message" => "2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session closed for user cyrus",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.774Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
       "logline" => " session closed for user cyrus"
}
{
       "message" => "",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.774Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}

因此,只有日志行被捕获,其余字段没有得到匹配。任何想法?

4

2 回答 2

2

Logstash 文件输入将跟踪被监控日志文件的当前位置,并将当前位置保存到 sincedb,默认路径是您的主目录。请参考这里

所以,start_position => beginning唯一的效果是在你第一次开始监控文件的时候。之后,logstash 将从保存在 sincedb 中的位置开始。

因此,如果您总是想从第一行读取日志,请将此配置添加到您的input文件中

sincedb_path => "/dev/null"

或者

删除主目录中的所有 .sincedb 文件。您也可以在启动 logstash 后将日志输入到监控日志文件中。

于 2014-05-27T00:43:26.010 回答
1

已解决: 问题是由于其他标识符的错误表达式(因此它们没有被显示)而logline表达式是正确的(因此被显示)。

于 2014-05-27T04:34:44.193 回答