原来服务器统一安装的filebeat 是6.2.4
新上服务器是安装的 6.3.2
将filebeat的日志经过logstash过滤后再交给ES
6.3.2 的版本配置好后数据无法交给ES,查看logstash日志
[2018-08-23T10:41:37,575][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x4b612c38>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"Lq6oZGUBISsMvU8-oSV3", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:169"}}}}}
[2018-08-23T10:41:37,576][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x3581d7c4>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"L66oZGUBISsMvU8-oSV3", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:1187"}}}}}
[2018-08-23T10:41:37,576][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x413474bf>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"Mq6oZGUBISsMvU8-oSV4", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:690"}}}}}
[2018-08-23T10:41:37,577][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x2f3299e4>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"M66oZGUBISsMvU8-oSV4", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:126"}}}}}
"reason"=>"failed to parse [host]" 查看是不能解析 host 这个字段,无奈只有把filebest导出到文件
output.file:
path: "/tmp/filebeat"
filename: filebeat
最后查看对比
"version":"6.2.4"
{"@timestamp":"2018-08-23T02:34:30.957Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.2.4"},"source":"/var/log/maillog","offset":2093185,"message":"2018-08-23 10:34:30 postfix/cleanup[11289]: 41wpQW4fsgz5WhW0: milter-reject: END-OF-MESSAGE from vip.admin.net[18.24.24.109]: 4.7.1 Spam message rejected; from=\u003creputation@hahaha.com\u003e to=\u003cjacques_testg@abc.com\u003e proto=ESMTP helo=\u003cvip.admin.net\u003e","prospector":{"type":"log"},"beat":{"name":"smtp_02","hostname":"smtp_02","version":"6.2.4"}}
"version":"6.3.2"
{"@timestamp":"2018-08-23T02:05:10.172Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.2"},"message":"2018-08-23 10:05:04 postfix/smtp[27215]: 41wncZ3yslz9xBFm: from=\u0 03ca@test-cn.com\u003e, to=\u003ctest@test.com\u003e, relay=none, delay=419, delays=388/0.03/31/0, dsn=4.4.1, status=deferred (connect to test.com[19.24.31.13]:25 : Connection timed out)","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"hkmail","version":"6.3.2","name":"mail_01"},"host":{"name":"mail_01"},"source":"/var/log /maillog","offset":2135359}
果然是6.3.2后面多了一个 host 字段,看了下这个字段内容在beat 里面已经有了,可以在logstash中丢掉
filter {
mutate{
remove_field => "host"
}
...
}
最后再测试正常了。使用前要先看changlog啊。
