-2
後我升級到1.5.0 logstash獲得此程序的怪異行爲 每當我下一個命令運行它。OS X:一會兒logstash工作,然後用「Logstash關機完成」停止味精((
$ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf
它適用於一段時間,然後停止說"Logstash shutdown completed"
例:
.....
......
"@version" => "1",
"@timestamp" => "2015-06-20T21:04:09.087Z",
"type" => "SuricataIDPS",
"host" => "drew-sh.server",
"path" => "/var/log/suricata/eve.json",
"geoip" => {
"ip" => "209.52.144.104",
"country_code2" => "CA",
"country_code3" => "CAN",
"country_name" => "Canada",
"continent_code" => "NA",
"region_name" => "BC",
"city_name" => "Vancouver",
"latitude" => 49.25,
"longitude" => -123.13329999999999,
"timezone" => "America/Vancouver",
"real_region_name" => "British Columbia",
"location" => [
[0] -123.13329999999999,
[1] 49.25
],
"coordinates" => [
[0] -123.13329999999999,
[1] 49.25
]
}
}
Logstash shutdown completed
完全重新安裝後也:
$ brew rm logstash
$ brew install logstash
我有同樣的問題(((
這裏是我的/usr/local/etc/logstash/conf.d/logstash.conf:
input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/"]
codec => json
type => "SuricataIDPS"
start_position => "beginning"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
host => localhost
protocol => http
}
stdout {
codec => rubydebug
}
}
爲什麼?我究竟做錯了什麼?