我的logstash版本是:
# /opt/logstash/bin/logstash --version
logstash 2.2.4
它被配置为根据filebeat文件从端口5044接收输入:
/etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => false
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
我已经将ssl设置为false,因为我没有使用它
但当我用systemctl正常启动logstash服务时,它会启动并检查状态,确认它正在运行
systemctl status logstash
● logstash.service - LSB: Starts Logstash as a daemon.
Loaded: loaded (/etc/rc.d/init.d/logstash)
Active: active (exited) since Mon 2016-07-18 19:14:51 BST; 15h ago
Docs: man:systemd-sysv-generator(8)
Process: 19965 ExecStop=/etc/rc.d/init.d/logstash stop (code=exited, status=0/SUCCESS)
Process: 19970 ExecStart=/etc/rc.d/init.d/logstash start (code=exited, status=0/SUCCESS)
...
logstash started
问题是logstash似乎没有在端口5044上接收输入。发送文件节拍的主机遭遇:
single.go:126: INFO Connecting error publishing events (retrying): dial tcp 192.72.0.92:5044: getsockopt: connection refused
当我检查端口时
# netstat -an | grep 5044
我一无所获。因此,即使logstash正在运行,我也无法判断它绑定到哪个端口并在侦听。
此外,防火墙会暂时停止以对此进行调查。
奇怪的是,我运行的logstash是这样的调试模式:
# ./logstash --debug -f /etc/logstash/conf.d/02-beats-input.conf
我能看到
# netstat -an | grep 5044
tcp6 0 0 :::5044 :::* LISTEN
tcp6 0 0 192.72.0.92:5044 192.168.36.70:53720 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45980 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45975 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45976 ESTABLISHED
或
# lsof -i :5044
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15136 root 7u IPv6 7191510 0t0 TCP *:lxi-evntsvc (LISTEN)
java 15136 root 33u IPv6 7192379 0t0 TCP hostname:lxi-evntsvc->192.72.0.90:45975 (ESTABLISHED)
发送文件节拍的主机可以连接
output.go:87: DBG output worker: publish 7 events
2016/07/19 10:02:08.017890 client.go:146: DBG Try to publish 7 events to logstash with window size 10
2016/07/19 10:02:08.038579 client.go:124: DBG 7 events out of 7 events sent to logstash. Continue sending ...
2016/07/19 10:02:08.038615 single.go:135: DBG send completed
请帮忙指出我可能在这个配置上做错了什么。感谢
基于@LiGhTx117 提供的hing
我认为
logstash在中使用的启动脚本
/etc/init.d/logstash
具有以下变量:
LS_USER=logstash
LS_GROUP=logstash
LS_HOME=/var/lib/logstash
LS_LOG_DIR=/var/log/logstash
LS_LOG_FILE="${LS_LOG_DIR}/$name.log"
LS_CONF_DIR=/etc/logstash/conf.d
所有权和许可权似乎是问题所在。
我确保目录可以递归访问用户logstash以及组logstash
和
然后,我还确保log_file:logstash.log可由用户/组logstash
重新启动logstash