使用里程碑 2 输入插件“文件”?

Posted

技术标签:

【中文标题】使用里程碑 2 输入插件“文件”?【英文标题】:Using milestone 2 input plugin 'file'? 【发布时间】:2014-05-26 11:41:44 【问题描述】:

我正在使用 Logstash 读取日志文件。以下是文件:

配置文件:

input  
file
    path => "/home/cdot/Desktop/auth_log"
    start_position => beginning



filter
grok

match => ["message", "%TIMESTAMP_ISO8601: timestamp %HOSTNAME: server-name %WORD: action: %WORD: machine(%GREEDYDATA: command):%GREEDYDATA:logline"]



output 
    elasticsearch  host => localhost 
    stdout  codec => rubydebug

输出:

Using milestone 2 input plugin 'file'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.4.1/plugin-milestones :level=>:warn

我没有得到任何输出。 我的日志文件有以下形式的行:

2014-05-09T04:02:08+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session closed for user cyrus

请帮忙。

编辑:

加行后

start_position => beginning
    sincedb_path => "/dev/null"

输入我得到以下输出:


       "message" => "2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.773Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
       "logline" => " session opened for user cyrus by (uid=0)"


       "message" => "2014-05-26T04:02:09+05:30 bx920as1 runuser: pam_unix(runuser-l:session): session closed for user cyrus",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.774Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
       "logline" => " session closed for user cyrus"


       "message" => "",
      "@version" => "1",
    "@timestamp" => "2014-05-27T03:59:26.774Z",
          "host" => "cdot-HP-Pro-3330-MT",
          "path" => "/home/cdot/Desktop/auth_log",
          "tags" => [
        [0] "_grokparsefailure"
    ]

因此,只有 logline 被捕获,其余字段未得到匹配。有什么想法吗?

【问题讨论】:

【参考方案1】:

Logstash 文件输入将跟踪被监控日志文件的当前位置,并将当前位置保存到 sincedb,默认路径是您的主目录。请参考here

所以,start_position => beginning 仅在您第一次开始监视文件时生效。之后,logstash 将从保存在 sincedb 中的位置开始。

所以,如果您总是想从第一行读取日志,请将此配置添加到您的 input 文件中

sincedb_path => "/dev/null"

或者

删除主目录中的所有 .sincedb 文件。您也可以在启动 logstash 后将日志输入到监控日志文件中。

【讨论】:

【参考方案2】:

已解决: 问题是由于其他标识符的错误表达式(因此它们没有被显示)和logline 表达式是正确的(因此被显示)。

【讨论】:

以上是关于使用里程碑 2 输入插件“文件”?的主要内容,如果未能解决你的问题,请参考以下文章

里程碑,ChatGPT插件影响几何?

PhpStorm 2016.3 For Mac 重大里程碑更新 -- 终于解决了不能输入中文标点符号的重大bug

20230402-Python学习里程碑-day1

查找里程

java_查找里程

5)NFS存储实时复制原理