OS X：一会儿logstash工作，然后用“Logstash关机完成”停止味精（（

Question

后我升级到1.5.0 logstash获得此程序的怪异行为 每当我下一个命令运行它。

$ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf 

它适用于一段时间，然后停止说"Logstash shutdown completed" 例：

..... 
...... 
    "@version" => "1", 
"@timestamp" => "2015-06-20T21:04:09.087Z", 
     "type" => "SuricataIDPS", 
     "host" => "drew-sh.server", 
     "path" => "/var/log/suricata/eve.json", 
    "geoip" => { 
        "ip" => "209.52.144.104", 
     "country_code2" => "CA", 
     "country_code3" => "CAN", 
     "country_name" => "Canada", 
     "continent_code" => "NA", 
     "region_name" => "BC", 
      "city_name" => "Vancouver", 
      "latitude" => 49.25, 
      "longitude" => -123.13329999999999, 
      "timezone" => "America/Vancouver", 
    "real_region_name" => "British Columbia", 
      "location" => [ 
     [0] -123.13329999999999, 
     [1] 49.25 
    ], 
     "coordinates" => [ 
     [0] -123.13329999999999, 
     [1] 49.25 
    ] 
    } 
} 
Logstash shutdown completed 

完全重新安装后也：

$ brew rm logstash 
$ brew install logstash 

我有同样的问题（（（

这里是我的/usr/local/etc/logstash/conf.d/logstash.conf：

input { 
    file { 
    path => ["/var/log/suricata/eve.json"] 
    sincedb_path => ["/var/lib/logstash/"] 
    codec => json 
    type => "SuricataIDPS" 
    start_position => "beginning" 
    } 

} 

filter { 
    if [type] == "SuricataIDPS" { 
    date { 
     match => [ "timestamp", "ISO8601" ] 
    } 
    ruby { 
     code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
    } 
    } 

    if [src_ip] { 
    geoip { 
     source => "src_ip" 
     target => "geoip" 
     #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat" 
     add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] 
     add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] 
    } 
    mutate { 
     convert => [ "[geoip][coordinates]", "float" ] 
    } 
    if ![geoip.ip] { 
     if [dest_ip] { 
     geoip { 
      source => "dest_ip" 
      target => "geoip" 
      #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat" 
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] 
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] 
     } 
     mutate { 
      convert => [ "[geoip][coordinates]", "float" ] 
     } 
     } 
    } 
    } 
} 

output { 
    elasticsearch { 
    host => localhost 
    protocol => http 
    } 
    stdout { 
     codec => rubydebug 
    } 
} 

为什么？我究竟做错了什么？

Answer 1

没关系 - 我已经更新logstash，现在它工作正常