When I use the following configuration of filebeat+pipeline to collect nginx logs, multiple duplicate logs will be generated in Elasticsearch, but I cannot find the reason, despite testing many times. Could you please help me see what caused the problem
my-filebeat.yml
filebeat.inputs:
- type: filestream
paths:
- /root/rsync_logs/nginx_logs/gate.access.log
tags: ["gate","nginx"]
processors:
- drop_fields:
fields:
- agent.ephemeral_id
- agent.hostname
- agent.id
- agent.type
- agent.version
- ecs.version
- input.type
- log.offset
- version
output.elasticsearch:
hosts: ["192.168.112.44:30200"]
protocol: "https"
username: "elastic"
password: "XXXXXXXXX"
ssl.verification_mode: none
timezone: "Asia/Shanghai"
enabled: true
pipelines:
- pipeline: "biot_nginx_log_pipeline"
when.contains:
tags: "nginx"
indices:
- index: "biot-log-nginx-gate-%{+yyyy.MM.dd}"
when.contains:
tags: "gate"
setup.ilm.enabled: false
setup.template.name: "biot-log"
setup.template.pattern: "biot-log*"
setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 3
index.number_of_replicas: 0
I can find that multiple duplicate logs are identical from the es, but my original log is only one, and the logs are still increasing repeatedly
This is my pipeline
[
{
"grok": {
"field": "message",
"patterns": [
"%{WORD:client_address}:%{IP:client_address}###%{WORD:client_user}:%{DATA:client_user}###%{WORD:real_ip}:%{DATA:real_ip}###%{WORD:visit_time}:%{TIMESTAMP_ISO8601:visit_time}###%{WORD:request_uri}:%{GREEDYDATA:request_uri}###%{WORD:request_host}:%{DATA:request_host}###%{WORD:http_status}:%{NUMBER:http_status}###%{WORD:upstream_status}:%{DATA:upstream_status}###%{WORD:traffic}:%{NUMBER:traffic}###%{WORD:original_address}:%{DATA:original_address}###%{WORD:http_user_agent}:%{GREEDYDATA:http_user_agent}###%{WORD:request_length}:%{NUMBER:request_length}###%{WORD:load_balancer}:%{DATA:load_balancer}###%{WORD:processing_time}:%{NUMBER:processing_time}###%{WORD:upstream_response_time}:%{DATA:upstream_response_time}###%{WORD:http_acl_t}:%{DATA:http_acl_t}###"
],
"ignore_failure": true
}
},
{
"date": {
"field": "visit_time",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"timezone": "Asia/Shanghai"
}
},
{
"geoip": {
"field": "client_address",
"target_field": "geo",
"ignore_failure": true
}
}
]