我正在尝试设置logstash来解析日志并将其发送到另一台服务器。几乎每次 GROK 无法解析日志时,都会导致以下错误:
{:timestamp=>"2013-07-08T02:20:07.390000-0400",
:message=>"thread watchdog timeout",
:thread=>#<Thread:0x133b92c run>,
:backtrace=>["file:/opt/logstash/logstash.jar!/logstash/filterworker.rb:46:in `backtrace'",
"file:/opt/logstash/logstash.jar!/logstash/filterworker.rb:46:in `run'",
"file:/opt/logstash/logstash.jar!/logstash/agent.rb:785:in `each'",
"file:/opt/logstash/logstash.jar!/logstash/agent.rb:785:in `run_filter'",
"file:/opt/logstash/logstash.jar!/logstash/agent.rb:492:in `run_with_config'"],
:thread_watchdog=>2013-07-08 02:19:57 -0400,
:age=>10.006,
:cutoff=>10,
:state=>{:event=>#<LogStash::Event:0xa02ea9 @data={"@source"=>"file://clstaging12//home/xyz/xyz.com/apps/logs/mailerjob_log_2013_07_04.txt",
"@tags"=>[],
"@fields"=>{},
"@timestamp"=>"2013-07-08T06:19:50.114Z",
"@source_host"=>"clstaging12",
"@source_path"=>"//home/xyz/xyz.com/apps/logs/mailerjob_log_2013_07_04.txt",
"@message"=>"PID:31730 2013-07-04T13:59:03-05:00 DEBUG :[property_listing_contact.php] Inside getBrokersContactInfoReceivedUserCount of the PropertyListing",
"@type"=>"zend_log"},
@cancelled=false>,
:filter=><LogStash::Filters::Grok type=>"zend_log",
patterns_dir=>["/home/xyz/xyz.com/conf/patterns"],
pattern=>["%{ZEND_LOG}"],
match=>{"@message"=>["%{ZEND_LOG}"]},
tag_on_failure=>["_grokparsefailure"]>},
:level=>:fatal}
模式 ZEND_LOG 是:
ZEND_LOG_SIGNATURE (?:IP\:(?<clientip>(?:\%ip\%|%{IP})) )?PID\:%{NUMBER:pid}
ZEND_CONTEXT [^\]]+
ZEND_LOG %{ZEND_LOG_SIGNATURE} %{TIMESTAMP_ISO8601:timestamp} %{WORD:level} \:\[%{ZEND_CONTEXT:context}\] %{GREEDYDATA:message}
这会导致logstash代理每隔几分钟崩溃一次,使其几乎无法使用。 我查看了 JIRA 上提交的许多现有错误,但没有任何运气。以下是一些链接:
https://logstash.jira.com/browse/LOGSTASH-508
最佳答案
我无法完全解决这个问题,但经过进一步调查,我发现当 GROK 无法匹配整行时,即它仍在等待更多输入时,就会发生错误。
这可能完全是因为我尝试解析的日志是多行的,并且我使用了贪婪的正则表达式。我通过使我的正则表达式更加强类型化来解决这个问题。
关于logging - Logstash:GROK 导致 `thread watchdog timeout`,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17520504/