记一次不同版本的logstash和filebeat的坑

为什么80%的码农都做不了架构师？>>>   

原来服务器统一安装的filebeat 是6.2.4

新上服务器是安装的 6.3.2

将filebeat的日志经过logstash过滤后再交给ES

6.3.2 的版本配置好后数据无法交给ES，查看logstash日志

[2018-08-23T10:41:37,575][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x4b612c38>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"Lq6oZGUBISsMvU8-oSV3", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:169"}}}}}
[2018-08-23T10:41:37,576][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x3581d7c4>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"L66oZGUBISsMvU8-oSV3", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:1187"}}}}}
[2018-08-23T10:41:37,576][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x413474bf>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"Mq6oZGUBISsMvU8-oSV4", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:690"}}}}}
[2018-08-23T10:41:37,577][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.08.23", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x2f3299e4>], :response=>{"index"=>{"_index"=>"logstash-2018.08.23", "_type"=>"doc", "_id"=>"M66oZGUBISsMvU8-oSV4", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:126"}}}}}

"reason"=>"failed to parse [host]" 查看是不能解析 host 这个字段，无奈只有把filebest导出到文件

output.file:
  path: "/tmp/filebeat"
  filename: filebeat

最后查看对比

"version":"6.2.4"

{"@timestamp":"2018-08-23T02:34:30.957Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.2.4"},"source":"/var/log/maillog","offset":2093185,"message":"2018-08-23 10:34:30 postfix/cleanup[11289]: 41wpQW4fsgz5WhW0: milter-reject: END-OF-MESSAGE from vip.admin.net[18.24.24.109]: 4.7.1 Spam message rejected; from=\u003creputation@hahaha.com\u003e to=\u003cjacques_testg@abc.com\u003e proto=ESMTP helo=\u003cvip.admin.net\u003e","prospector":{"type":"log"},"beat":{"name":"smtp_02","hostname":"smtp_02","version":"6.2.4"}}

"version":"6.3.2"

{"@timestamp":"2018-08-23T02:05:10.172Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.2"},"message":"2018-08-23 10:05:04 postfix/smtp[27215]: 41wncZ3yslz9xBFm: from=\u0                                                       03ca@test-cn.com\u003e, to=\u003ctest@test.com\u003e, relay=none, delay=419, delays=388/0.03/31/0, dsn=4.4.1, status=deferred (connect to test.com[19.24.31.13]:25                                                       : Connection timed out)","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"hkmail","version":"6.3.2","name":"mail_01"},"host":{"name":"mail_01"},"source":"/var/log                                                       /maillog","offset":2135359}

果然是6.3.2后面多了一个 host 字段，看了下这个字段内容在beat 里面已经有了，可以在logstash中丢掉

filter {
    mutate{
        remove_field => "host"
    }
    ...
}

最后再测试正常了。使用前要先看changlog啊。

转载于:https://my.oschina.net/hxily/blog/1932662