-2

logstash 1.5.0 にアップグレードした後、このプログラムの奇妙な動作が発生しました。次のコマンドで実行するたびに:

 $ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf

それはしばらくの間機能し、その後、言うのをやめます"Logstash shutdown completed"。例:

 .....
 ......
  "@version" => "1",
"@timestamp" => "2015-06-20T21:04:09.087Z",
      "type" => "SuricataIDPS",
      "host" => "drew-sh.server",
      "path" => "/var/log/suricata/eve.json",
     "geoip" => {
                  "ip" => "209.52.144.104",
       "country_code2" => "CA",
       "country_code3" => "CAN",
        "country_name" => "Canada",
      "continent_code" => "NA",
         "region_name" => "BC",
           "city_name" => "Vancouver",
            "latitude" => 49.25,
           "longitude" => -123.13329999999999,
            "timezone" => "America/Vancouver",
    "real_region_name" => "British Columbia",
            "location" => [
        [0] -123.13329999999999,
        [1] 49.25
    ],
         "coordinates" => [
        [0] -123.13329999999999,
        [1] 49.25
    ]
  }
}
Logstash shutdown completed

完全に再インストールした後でも:

$ brew rm logstash
$ brew install logstash

私は同じ問題を抱えています(((

これが私の/usr/local/etc/logstash/conf.d/logstash.confです:

input {
  file {
    path => ["/var/log/suricata/eve.json"]
    sincedb_path => ["/var/lib/logstash/"]
    codec =>   json
    type => "SuricataIDPS"
    start_position => "beginning"
  }

}

filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip"
      target => "geoip"
      #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip"
          target => "geoip"
          #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
          convert => [ "[geoip][coordinates]", "float" ]
        }
      }
    }
  }
}

output {
  elasticsearch {
    host => localhost
    protocol => http
  }
  stdout {
      codec => rubydebug
   }
}

なんで?私は何を間違っていますか?

4

1 に答える 1