我按照 Digital Ocean 的教學學習如何在 CentOS 7 電腦上安裝 ELK 堆疊。
它看起來相當不錯,讓我能夠讓初始 Elastic Search 節點正常運作,並讓 kibana 4 在 NGINX 後面運行。但是在安裝Logstash時我遇到了一個問題,它似乎沒有在elasticsearch中建立任何索引!我確信這是某個地方的配置問題。但我不知道在哪裡!
我注意到,當我在重新啟動logstash後使用_cat API刪除elasticsearch索引時,logstash尚未建立任何索引。
curl http://localhost:9200/_cat/indices
yellow open .kibana 1 1 1 0 2.4kb 2.4kb
yellow open security 5 1 0 0 575b 575b
這裡我們有 kibana 的索引,我認為這是一個標準的 ES 索引,稱為「安全性」。但logstash似乎沒有與ES通訊!一切都在同一台機器上運作。
這些是我安裝的 ES 和 LS 的版本:
elasticsearch-1.5.2-1.noarch
logstash-1.5.1-1.noarch
logstash-forwarder-0.4.0-1.x86_64
他們在我遵循的教程中設定它的方式,您有 3 個設定檔進入logstash conf.d 目錄。
在 /etc/logstash/conf.d/01-lumberjack-input.conf 我有:
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
在 /etc/logstash/conf.d/10-syslog.conf 我有:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
我還從以前的logstash伺服器中獲得了自己的配置,並將其放入名為20-logstash.conf的檔案中,該檔案正在偵聽連接埠2541:
我在 /etc/logstash/conf.d/20-logstash.conf 中有以下內容
input {
lumberjack {
# The port to listen on
port => 2541
# The paths to your ssl cert and key
ssl_certificate => "/etc/pki/tls/certs/lumberjack.crt"
ssl_key => "/etc/pki/tls/private/lumberjack.key"
# Set this to whatever you want.
type => "logstash"
codec => "json"
}
}
filter {
if [type] == "postfix" {
grok {
match => [ "message", "%{SYSLOGBASE}", "timestamp", "MMM dd HH:mm:ss" ]
add_tag => [ "postfix", "grokked" ]
}
}
}
filter {
if [type] == "system" {
grok {
match => [ "message", "%{SYSLOGBASE}" ]
add_tag => [ "system", "grokked" ]
}
}
}
filter {
if [type] == "syslog" {
grok {
match => [ "message", "%{SYSLOGBASE}" ]
add_tag => [ "syslog", "grokked" ]
}
}
}
filter {
if [type] == "security" {
grok {
match => [ "message", "%{SYSLOGBASE}" ]
add_tag => [ "security", "grokked" ]
}
}
}
output {
stdout {
#debug => true
#debug_format => "json"
}
elasticsearch {
host => "logs.mydomain.com"
}
}
在 /etc/logstash/conf.d/30-lumberjack-output.conf 中,我有輸出到 ES:
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
現在,再次重新啟動logstash後,我看到logstash正在偵聽我在配置中指定的連接埠:
[root@logs:/etc/logstash] #lsof -i :5000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 23893 logstash 16u IPv6 11665234 0t0 TCP *:commplex-main (LISTEN)
[root@logs:/etc/logstash] #lsof -i :2541
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 23893 logstash 18u IPv6 11665237 0t0 TCP *:lonworks2 (LISTEN)
截至目前,logstash 正在運行並且不產生任何日誌輸出:
#ps -ef | grep logstash | grep -v grep
logstash 23893 1 16 11:49 ? 00:01:45 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log
ls -lh /var/log/logstash/logstash.log
-rw-r--r--. 1 logstash logstash 0 Jun 22 11:49 /var/log/logstash/logstash.log
但elasticsearch中仍然沒有創建任何索引:
#curl http://localhost:9200/_cat/indices
yellow open .kibana 1 1 1 0 2.4kb 2.4kb
yellow open security 5 1 0 0 575b 575b
當我去配置 Kibana 時,它說它無法找到任何使用“logstash-*”進行搜尋的模式。
從這裡我可以去哪裡讓它發揮作用?配置本身與我之前向您展示的配置沒有變化。
我還沒有嘗試將任何logstash轉發器指向它..但我嘗試使用以下命令將stdin寫入elasticsearch集群:
logstash -e 'input { stdin { } } output { elasticsearch { host => localhost } }'
我收到了這個錯誤:
`Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master]; {:level=>:error}
Failed to flush outgoing items {:outgoing_count=>1, :exception=>org.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];, :backtrace=>["org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(org/elasticsearch/cluster/block/ClusterBlocks.java:151)", "org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(org/elasticsearch/cluster/block/ClusterBlocks.java:141)", "org.elasticsearch.action.bulk.TransportBulkAction.executeBulk(org/elasticsearch/action/bulk/TransportBulkAction.java:210)", "org.elasticsearch.action.bulk.TransportBulkAction.access$000(org/elasticsearch/action/bulk/TransportBulkAction.java:73)", "org.elasticsearch.action.bulk.TransportBulkAction$1.onFailure(org/elasticsearch/action/bulk/TransportBulkAction.java:148)", "org.elasticsearch.action.support.TransportAction$ThreadedActionListener$2.run(org/elasticsearch/action/support/TransportAction.java:137)", "java.util.concurrent.ThreadPoolExecutor.runWorker(java/util/concurrent/ThreadPoolExecutor.java:1142)", "java.util.concurrent.ThreadPoolExecutor$Worker.run(java/util/concurrent/ThreadPoolExecutor.java:617)", "java.lang.Thread.run(java/lang/Thread.java:745)"], :level=>:warn}`
對可能發生的事情有什麼想法嗎?