在其中添加过滤器块时 Logstash 管道失败
Logstash pipeline is failing when adding filter block in it
我正在创建 logstash 管道,我将日志文件作为输入并在 elasticsearch 上读取这些日志。我想在我的 logstash 管道配置中添加 geoip 过滤器,但是当我添加时它失败并正在关闭。
这是一个错误:
[2022-03-17T12:41:05,243][WARN ][logstash.outputs.elasticsearch][main]
Elasticsearch Output configured with `ecs_compatibility => v8`, which
resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common
Schema. Once ECS v8 and an updated release of this plugin are publicly
available, you will need to update this plugin to resolve this warning.
[2022-03-17T12:41:05,293][ERROR][logstash.javapipeline ][main]
Pipeline error {:pipeline_id=>"main", :exception=>#
<LogStash::ConfigurationError: GeoIP Filter in ECS-Compatiblity mode
requires a `target` when `source` is not an `ip` sub-field, eg. [client]
[ip]>, :backtrace=>["D:/logstash-
8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-
java/lib/logstash/filters/geoip.rb:143:in `auto_target_from_source!'",
"D:/logstash-8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-
7.2.11-java/lib/logstash/filters/geoip.rb:133:in `setup_target_field'",
"D:/logstash-8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-
7.2.11-java/lib/logstash/filters/geoip.rb:108:in `register'",
"org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in
`register'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:232:in `block in register_plugins'",
"org/jruby/RubyArray.java:1821:in `each'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:231:in `register_plugins'",
"D:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:590:in
`maybe_setup_out_plugins'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:244:in `start_workers'",
"D:/logstash-
8.1.0/logstash-core/lib/logstash/java_pipeline.rb:189:in `run'",
"D:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:141:in `block in start'"], "pipeline.sources"=>["D:/logstash-8.1.0/my-logstash.conf"], :thread=>"#<Thread:0x6ea94258 run>"}
[2022-03-17T12:41:05,314][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2022-03-17T12:41:05,357][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2022-03-17T12:41:05,390][ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2022-03-17T12:41:05,499][DEBUG][logstash.instrument.periodicpoller.os] Stopping
[2022-03-17T12:41:05,523][DEBUG][logstash.instrument.periodicpoller.jvm] Stopping
[2022-03-17T12:41:05,525][DEBUG][logstash.instrument.periodicpoller.persistentqueue] Stopping
[2022-03-17T12:41:05,532][DEBUG]
[logstash.instrument.periodicpoller.deadletterqueue] Stopping
[2022-03-17T12:41:05,556][DEBUG][logstash.agent ] Shutting
down all pipelines {:pipelines_count=>0}
当我在没有过滤器的情况下使用以下配置时,它工作正常:
input {
file {
path => "D:/nest/es-logging-example/log/info/*.log"
start_position => beginning
sincedb_path => "NULL"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "myapplogs"
}
stdout{}
}
但是在配置文件中添加过滤器时失败并关闭:
input {
file {
path => "D:/nest/es-logging-example/log/info/*.log"
start_position => beginning
sincedb_path => "NULL"
}
}
filter {
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "myapplogs"
}
stdout{}
}
我在第二个配置中做错了什么?
报错是这样的
GeoIP Filter in ECS-Compatiblity mode requires a target when source is not an ip sub-field. You're simply missing an explicit target field
因此您的过滤器应如下所示:
filter {
geoip {
source => "clientip"
target => "clientgeo"
}
}
我正在创建 logstash 管道,我将日志文件作为输入并在 elasticsearch 上读取这些日志。我想在我的 logstash 管道配置中添加 geoip 过滤器,但是当我添加时它失败并正在关闭。
这是一个错误:
[2022-03-17T12:41:05,243][WARN ][logstash.outputs.elasticsearch][main]
Elasticsearch Output configured with `ecs_compatibility => v8`, which
resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common
Schema. Once ECS v8 and an updated release of this plugin are publicly
available, you will need to update this plugin to resolve this warning.
[2022-03-17T12:41:05,293][ERROR][logstash.javapipeline ][main]
Pipeline error {:pipeline_id=>"main", :exception=>#
<LogStash::ConfigurationError: GeoIP Filter in ECS-Compatiblity mode
requires a `target` when `source` is not an `ip` sub-field, eg. [client]
[ip]>, :backtrace=>["D:/logstash-
8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-
java/lib/logstash/filters/geoip.rb:143:in `auto_target_from_source!'",
"D:/logstash-8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-
7.2.11-java/lib/logstash/filters/geoip.rb:133:in `setup_target_field'",
"D:/logstash-8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-
7.2.11-java/lib/logstash/filters/geoip.rb:108:in `register'",
"org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in
`register'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:232:in `block in register_plugins'",
"org/jruby/RubyArray.java:1821:in `each'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:231:in `register_plugins'",
"D:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:590:in
`maybe_setup_out_plugins'", "D:/logstash-8.1.0/logstash-
core/lib/logstash/java_pipeline.rb:244:in `start_workers'",
"D:/logstash-
8.1.0/logstash-core/lib/logstash/java_pipeline.rb:189:in `run'",
"D:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:141:in `block in start'"], "pipeline.sources"=>["D:/logstash-8.1.0/my-logstash.conf"], :thread=>"#<Thread:0x6ea94258 run>"}
[2022-03-17T12:41:05,314][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2022-03-17T12:41:05,357][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2022-03-17T12:41:05,390][ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2022-03-17T12:41:05,499][DEBUG][logstash.instrument.periodicpoller.os] Stopping
[2022-03-17T12:41:05,523][DEBUG][logstash.instrument.periodicpoller.jvm] Stopping
[2022-03-17T12:41:05,525][DEBUG][logstash.instrument.periodicpoller.persistentqueue] Stopping
[2022-03-17T12:41:05,532][DEBUG]
[logstash.instrument.periodicpoller.deadletterqueue] Stopping
[2022-03-17T12:41:05,556][DEBUG][logstash.agent ] Shutting
down all pipelines {:pipelines_count=>0}
当我在没有过滤器的情况下使用以下配置时,它工作正常:
input {
file {
path => "D:/nest/es-logging-example/log/info/*.log"
start_position => beginning
sincedb_path => "NULL"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "myapplogs"
}
stdout{}
}
但是在配置文件中添加过滤器时失败并关闭:
input {
file {
path => "D:/nest/es-logging-example/log/info/*.log"
start_position => beginning
sincedb_path => "NULL"
}
}
filter {
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "myapplogs"
}
stdout{}
}
我在第二个配置中做错了什么?
报错是这样的
GeoIP Filter in ECS-Compatiblity mode requires a
targetwhensourceis not anipsub-field. You're simply missing an explicittargetfield
因此您的过滤器应如下所示:
filter {
geoip {
source => "clientip"
target => "clientgeo"
}
}