如何在logstash配置文件中添加ruby代码?
我尝试使用logstash将日志发送到Windows事件。 添加了一些ruby代码之后;它在error下面创建。如何将日志发送到windoes事件?
input { file { type => "json" path => ["C:/Temp/logs/*.json"] start_position => "beginning" codec => "json" discover_interval => 120 stat_interval => 60 sincedb_write_interval => 60 close_older => 60 } } filter { mutate { remove_field => [ "path" ] } ruby { code => " require 'win32/eventlog' logger = Win32::EventLog.new logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry") " } } } output { stdout { codec => rubydebug } elasticsearch { hosts => ["http://loguser:xxxx@192.158.5.84:333"] index => "logstash-%{+YYYY.MM}" } } 错误:
[2018-03-20T09:51:28,629][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, } at line 23, column 75 (byte 464) after filter {\nmutate {\n remove_field => [ \"path\" ] \n\n}\n ruby {\n init => \" require 'win32/eventlog' \n\t \"\n code => \"\n logger = Win32::EventLog.new\n logger.report_event(:event_type => Win32::EventLog::INFO, :data => \""}
正如您在问题中突出显示的语法所述,您使用的双引号存在问题。 密切注意代码块中的黑色字母:
" require 'win32/eventlog' logger = Win32::EventLog.new logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry") "
您将代码块包装在双引号中,但也使用它们来定义事件中的字符串: "a test event log entry" 。 字符串的第一个引号结束代码块,LogStash报告语法错误,因为它希望您使用}来关闭指令。
您还可以在错误消息中看到这一点,它将值作为data属性报告为单个双引号:data => \" 。
尝试用单引号包装字符串: 'a test event log entry'来解决此问题。