我正在使用ELK堆栈版本5.1.2,我有从将一个工作站(节点)发送到中央服务器的问题 . 我在localhost上配置的所有内容都完美无缺,但在开发环境中却没有 . 在localhost上我使用了SSL,但现在我将其关闭了 . 所以我的filebeat的conf文件是:

filebeat.prospectors:
- input_type: log

paths:
    - e:\logs\*.log

document_type: xxx_log

output.logstash:
  hosts: ["xxxx:5043"]

logging.level: error
logging.to_syslog: true

logging.files:
  rotateeverybytes: 10485760 # = 10MB

Logstash配置:

input {
    beats {
        port => "5043"
    }
}
filter {
    if [type] == "xxx_log" {     
        multiline {
            pattern => "^TID"
            negate => true
            what => "previous"
            }
        grok {
            break_on_match => false
            match =>  [ "message", "TID: \[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{JAVACLASS:java_class}\] \(%{GREEDYDATA:thread}\) - (?<log_message>(.|\r|\n)*)"]
        }
    }
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
        user => "elastic"
        password => "changeme"
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    }
}

好的,当我向日志文件添加行时,例如:

TID: [2017-01-19 13:37:18] INFO [App.java] (main) - Info test...

Filebeat开始收集数据,成功收获后我得到:

ERR Failed to publish events caused by: write tcp yyyy:51992->xxxx:5043: wsasend: An existing connection was forcibly closed by the remote host.

Logstash的日志中没有任何内容 .

防火墙关闭,当我从端口5043上的WORK节点打开telnet消息将来到中央服务器,因为Logstash在日志文件中说,我发送无效的帧类型,例如我只发送一些POST来测试端口5043是否打开 . 所以端口是开放的,但弹性是空的 . 有时,我不知道为什么,我在Filebeat日志中收到错误:

wsarecv: An existing connection was forcibly closed by the remote host.

此行生成Logstash日志:

11:45:31.094 [nioEventLoopGroup-4-2] ERROR org.logstash.beats.BeatsHandler - Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 83
13:31:43.139 [nioEventLoopGroup-4-4] ERROR org.logstash.beats.BeatsHandler - Exception: An existing connection was forcibly closed by the remote host

谢谢你的任何建议 . 雅罗斯拉夫