OS X: logstash 工作了一段时间然后停止 "Logstash shutdown completed" msg((
OS X: logstash works for a while and then stops with "Logstash shutdown completed" msg((
在我升级到 logstash 1.5.0 之后,这个程序出现了奇怪的行为。
每当我用下一个命令运行它时:
$ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf
它工作了一段时间,然后停止说 "Logstash shutdown completed"。
示例:
.....
......
"@version" => "1",
"@timestamp" => "2015-06-20T21:04:09.087Z",
"type" => "SuricataIDPS",
"host" => "drew-sh.server",
"path" => "/var/log/suricata/eve.json",
"geoip" => {
"ip" => "209.52.144.104",
"country_code2" => "CA",
"country_code3" => "CAN",
"country_name" => "Canada",
"continent_code" => "NA",
"region_name" => "BC",
"city_name" => "Vancouver",
"latitude" => 49.25,
"longitude" => -123.13329999999999,
"timezone" => "America/Vancouver",
"real_region_name" => "British Columbia",
"location" => [
[0] -123.13329999999999,
[1] 49.25
],
"coordinates" => [
[0] -123.13329999999999,
[1] 49.25
]
}
}
Logstash shutdown completed
即使在完全重新安装之后:
$ brew rm logstash
$ brew install logstash
我遇到了同样的问题 (((
这是我的 /usr/local/etc/logstash/conf.d/logstash.conf:
input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/"]
codec => json
type => "SuricataIDPS"
start_position => "beginning"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
host => localhost
protocol => http
}
stdout {
codec => rubydebug
}
}
为什么?我做错了什么?
没关系 - 我已经更新了 logstash,现在它工作正常
在我升级到 logstash 1.5.0 之后,这个程序出现了奇怪的行为。 每当我用下一个命令运行它时:
$ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf
它工作了一段时间,然后停止说 "Logstash shutdown completed"。
示例:
.....
......
"@version" => "1",
"@timestamp" => "2015-06-20T21:04:09.087Z",
"type" => "SuricataIDPS",
"host" => "drew-sh.server",
"path" => "/var/log/suricata/eve.json",
"geoip" => {
"ip" => "209.52.144.104",
"country_code2" => "CA",
"country_code3" => "CAN",
"country_name" => "Canada",
"continent_code" => "NA",
"region_name" => "BC",
"city_name" => "Vancouver",
"latitude" => 49.25,
"longitude" => -123.13329999999999,
"timezone" => "America/Vancouver",
"real_region_name" => "British Columbia",
"location" => [
[0] -123.13329999999999,
[1] 49.25
],
"coordinates" => [
[0] -123.13329999999999,
[1] 49.25
]
}
}
Logstash shutdown completed
即使在完全重新安装之后:
$ brew rm logstash
$ brew install logstash
我遇到了同样的问题 (((
这是我的 /usr/local/etc/logstash/conf.d/logstash.conf:
input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/"]
codec => json
type => "SuricataIDPS"
start_position => "beginning"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
host => localhost
protocol => http
}
stdout {
codec => rubydebug
}
}
为什么?我做错了什么?
没关系 - 我已经更新了 logstash,现在它工作正常