我正在使用 beaver 将日志发送到 logstash。这些日志本质上是多行的,因此我使用多行过滤器,但不知何故过滤器无法匹配日志。logstash 的输出中没有错误。以下是我在 logstash 中看到的内容:
{"@source":"udp://10.238.161.213:36655/","@tags":[],"@fields":{},"@timestamp":"2013-09-23T16:37:56.653Z","@source_host":"10.238.161.213","@source_path":"/","@message":"{\"@source\": \"file://app1.example.org/ebs/app.log\", \"@source_host\": \"app1.example.org\", \"@message\": \" This is line3\", \"@tags\": [], \"@fields\": {}, \"@timestamp\": \"2013-09-23T16:38:18.150822Z\", \"@source_path\": \"/ebs/app.log\", \"@type\": \"file\"}","@type":"app"}
示例日志行:
This is a log line
This is line2
This is line3
Logstash 配置:
input {
udp {
type => "app"
port => 9996
}
}
filter {
multiline {
type => "app"
pattern => "^\s"
what => "previous"
}
}
output {
elasticsearch { host => "127.0.0.1" }
}
Beaver 在远程应用程序主机上运行,调用方式如下:
/usr/bin/python /usr/bin/beaver -D -P /var/lock/beaver.pid -c /etc/beaver/conf -t udp -p /ebs/
/etc/beaver 如下所示:
[beaver]
udp_host: logstash.example.org
udp_port: 9996
对于多行过滤器为何与日志不匹配,您有何看法?