Logstash -> Elasticsearch 未正确映射

Question

所以我最近使用这个站点作为模板创建了一个 ELK 集群。ELK Cluster Setup

我遇到了一个问题，即 Logstash 处理节点上的 json 模板没有在实际的 Elasticsearch 数据节点上使用。我可以看到已经在总部创建了映射，但是创建了另一个使用一些动态创建的映射的映射。正确完成的映射在数据节点上称为“Sourcefire”，但它也创建了一个不正确的称为“sourcefire”的映射。

我无法弄清楚这一点，我正在学习这些东西，因此不胜感激。有关代码 sn-ps，请参见下文。

Logstash.conf

input {
    tcp {
        port => 5170
        type => "sourcefire"
    }
}

filter {

    mutate{
        split => ["message", "|"]
        add_field => {
            "event" => "%{message[5]}"
            "eventSource" => "%{message[1]}"
        }
    }

    kv {
        include_keys => ["dhost", "dst", "dpt", "shost", "src", "spt", "rt"]
    }

    mutate {
        rename => [ "dhost", "destinationHost" ]
        rename => [ "dst", "destinationAddress" ]
        rename => [ "dpt", "destinationPort" ]
        rename => [ "shost", "sourceHost" ]
        rename => [ "src", "sourceAddress" ]
        rename => [ "spt", "sourcePort" ]
    }

    date {
        match => ["rt","UNIX_MS"]
        target => "eventDate"
    }

    geoip {
        add_tag => [ "sourceGeo" ]
        source => "src"
        database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
    }

    geoip {
        add_tag => [ "destinationGeo" ]
        source => "src"
        database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
    }
}

output {
    if [type] == "sourcefire" {
        elasticsearch {
            cluster => "XXX-cluster"
            flush_size => 1
            manage_template => true
            template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-sourcefire.json"
        }
    }
}

Elasticsearch json 模板

{
    "template": "logstash-*",
    "settings": {
        "index.refresh_interval": "5s"
    },
    "mappings": {
        "Sourcefire": {
            "_all": {
                "enabled": true
            },
            "properties": {
                "@timestamp": {
                    "type": "date",
                    "format": "basicDateTimeNoMillis"
                },
                "@version": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "geoip": {
                    "type": "object",
                    "dynamic": true,
                    "path": "full",
                    "properties": {
                        "location": {
                            "type": "geo_point"
                        }
                    }
                },
                "event": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "eventDate": {
                    "type": "date",
                    "format": "basicDateTimeNoMillis"
                },
                "destinationAddress": {
                    "type": "ip"
                },
                "destinationHost": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "destinationPort": {
                    "type": "integer",
                    "index": "not_analyzed"
                },
                "sourceAddress": {
                    "type": "ip"
                },
                "sourceHost": {
                    "type": "string",
                    "index": "not_analyzed"
                },
                "sourcePort": {
                    "type": "integer",
                    "index": "not_analyzed"
                }
            }
        }
    }
}

Answer 1

您可以使用 elasticsearch 输出的 template_overwrite 属性。但是，不能保证始终正常工作，尤其是当您有多个同时工作的 logstash 实例时。此外，根据您的 elasticsearch 映射配置设置，特别是动态映射和默认设置 (http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-dynamic-mapping.html)，您可能会得到与预期不同的结果。

根据我的经验，我发现最好手动控制 elasticsearch 中的索引映射（使用 fiddler 或 elasticsearch-head 管理站点等工具）。这是因为当多个 logstash 实例一起覆盖映射时，我遇到了各种意外结果，禁用了我设置的特殊弹性搜索字段（如 _ttl）。

Answer 2

只需删除存储的模板，它就会重新创建它： 例如，如果您的模板名称是logstash：

curl -XDELETE localhost:9200/_template/logstash

此外，如果您正在写入相同的索引，则无法更改映射。您需要重新创建索引（确保首先停止 logstash 以防止任何飞行）。