Title
整体架构:filebeat-》logstash-》elasticsearch-》kibana,logstash的配置生成索引
现象:2台应用服务器【filebeat版本不一样】,1台logstash+es+kibana,kibana上没有其中一台的日志索引
logstash报错:
[logstash.outputs.elasticsearch][main]..........."failed to parse field[host] of type [text] in document with 'bQV9sXUBFKchuFQTGB1a',Preview of field's value:'xxx'", "cau
sed by"=>{"type}=>"illegal_state_exception",“reason"=>"Can't get text on a START_OBJECT at 1:222"
调试:从源头开始查,(怀疑是filebeat版本问题)
1.更改filebeat的配置,将搜集到的数据输出到文件
output.file: path: "/tmp/filebeat" filename: filebeat
最后查看对比
"version":"6.2.4"
{"@timestamp":"2018-08-23T02:34:30.957Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.2.4"},"source":"/var/log/maillog","offset":2093185,"message":"2018-08-2
3 10:34:30 postfix/cleanup[11289]: 41wpQW4fsgz5WhW0: milter-reject: END-OF-MESSAGE from vip.admin.net[18.24.24.109]: 4.7.1 Spam message rejected; from=u003creputation@h
ahaha.comu003e to=u003cjacques_testg@abc.comu003e proto=ESMTP helo=u003cvip.admin.netu003e","prospector":{"type":"log"},"beat":{"name":"smtp_02","hostname":"smtp_02
","version":"6.2.4"}}
"version":"6.3.2"
{"@timestamp":"2018-08-23T02:05:10.172Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.2"},"message":"2018-08-23 10:05:04 postfix/smtp[27215]: 41wncZ3yslz9x
BFm: from=u003ca@test-cn.comu003e, to=u003ctest@test.comu003e, relay=none, delay=419, delays=388/0.03/31/0, dsn=4.4.1, status=deferred (connect to test.com[19.24.31.
13]:25 : Connection timed out)","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"hkmail","version":"6.3.2","name":"mail_01"},"host":{"name":"mail_01
"},"source":"/var/log/maillog","offset":2135359}
果然是6.3.2后面多了一个 host 字段,看了下这个字段内容在beat 里面已经有了,可以在logstash中丢掉。解决
filter {
mutate{
remove_field => "host"
}
...
}