如何在 logstash 配置文件中添加 ruby 代码?
How to add a ruby code inside of the logstash config file?
我尝试使用 logstash 将日志发送到 windows 事件。添加一些 ruby 代码后;它在下面创建 error.How 我可以将日志发送到 windoes 事件吗?
input {
file {
type => "json"
path => ["C:/Temp/logs/*.json"]
start_position => "beginning"
codec => "json"
discover_interval => 120
stat_interval => 60
sincedb_write_interval => 60
close_older => 60
}
}
filter {
mutate {
remove_field => [ "path" ]
}
ruby {
code => "
require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
"
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["http://loguser:xxxx@192.158.5.84:333"]
index => "logstash-%{+YYYY.MM}"
}
}
错误:
[2018-03-20T09:51:28,629][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, } at line 23, column 75 (byte 464) after filter {\nmutate {\n remove_field => [ \"path\" ] \n\n}\n ruby {\n init => \" require 'win32/eventlog' \n\t \"\n code => \"\n logger = Win32::EventLog.new\n logger.report_event(:event_type => Win32::EventLog::INFO, :data => \""}
从问题中突出显示的语法可以看出,您使用的双引号存在问题。密切注意代码块中的黑色字母:
"
require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
"
您将代码块用双引号引起来,但也使用它们来定义事件中的字符串:"a test event log entry"。字符串的第一个引号结束代码块,LogStash 报告语法错误,因为它希望您使用 }.
结束指令
您还可以在错误消息中看到这一点,它将 data 属性的值报告为单个双引号::data => \".
尝试将字符串用单引号引起来:'a test event log entry' 以解决此问题。
我尝试使用 logstash 将日志发送到 windows 事件。添加一些 ruby 代码后;它在下面创建 error.How 我可以将日志发送到 windoes 事件吗?
input {
file {
type => "json"
path => ["C:/Temp/logs/*.json"]
start_position => "beginning"
codec => "json"
discover_interval => 120
stat_interval => 60
sincedb_write_interval => 60
close_older => 60
}
}
filter {
mutate {
remove_field => [ "path" ]
}
ruby {
code => "
require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
"
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["http://loguser:xxxx@192.158.5.84:333"]
index => "logstash-%{+YYYY.MM}"
}
}
错误:
[2018-03-20T09:51:28,629][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, } at line 23, column 75 (byte 464) after filter {\nmutate {\n remove_field => [ \"path\" ] \n\n}\n ruby {\n init => \" require 'win32/eventlog' \n\t \"\n code => \"\n logger = Win32::EventLog.new\n logger.report_event(:event_type => Win32::EventLog::INFO, :data => \""}
从问题中突出显示的语法可以看出,您使用的双引号存在问题。密切注意代码块中的黑色字母:
"
require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
"
您将代码块用双引号引起来,但也使用它们来定义事件中的字符串:"a test event log entry"。字符串的第一个引号结束代码块,LogStash 报告语法错误,因为它希望您使用 }.
您还可以在错误消息中看到这一点,它将 data 属性的值报告为单个双引号::data => \".
尝试将字符串用单引号引起来:'a test event log entry' 以解决此问题。