filebeat版本问题导致logstash无法处理接收到的日志

Title

整体架构：filebeat-》logstash-》elasticsearch-》kibana，logstash的配置生成索引

现象：2台应用服务器【filebeat版本不一样】，1台logstash+es+kibana，kibana上没有其中一台的日志索引

logstash报错：

[logstash.outputs.elasticsearch][main]..........."failed to parse field[host] of type [text] in document with 'bQV9sXUBFKchuFQTGB1a',Preview of field's value:'xxx'", "cau
sed by"=>{"type}=>"illegal_state_exception",“reason"=>"Can't get text on a START_OBJECT at 1:222"

调试：从源头开始查，（怀疑是filebeat版本问题）

1.更改filebeat的配置，将搜集到的数据输出到文件

output.file:
  path: "/tmp/filebeat"
  filename: filebeat

　　

最后查看对比

"version":"6.2.4"

{"@timestamp":"2018-08-23T02:34:30.957Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.2.4"},"source":"/var/log/maillog","offset":2093185,"message":"2018-08-2
3 10:34:30 postfix/cleanup[11289]: 41wpQW4fsgz5WhW0: milter-reject: END-OF-MESSAGE from vip.admin.net[18.24.24.109]: 4.7.1 Spam message rejected; from=\u003creputation@h
ahaha.com\u003e to=\u003cjacques_testg@abc.com\u003e proto=ESMTP helo=\u003cvip.admin.net\u003e","prospector":{"type":"log"},"beat":{"name":"smtp_02","hostname":"smtp_02
","version":"6.2.4"}}

"version":"6.3.2"

{"@timestamp":"2018-08-23T02:05:10.172Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.2"},"message":"2018-08-23 10:05:04 postfix/smtp[27215]: 41wncZ3yslz9x
BFm: from=\u003ca@test-cn.com\u003e, to=\u003ctest@test.com\u003e, relay=none, delay=419, delays=388/0.03/31/0, dsn=4.4.1, status=deferred (connect to test.com[19.24.31.
13]:25 : Connection timed out)","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"hkmail","version":"6.3.2","name":"mail_01"},"host":{"name":"mail_01
"},"source":"/var/log/maillog","offset":2135359}

果然是6.3.2后面多了一个 host 字段，看了下这个字段内容在beat 里面已经有了，可以在logstash中丢掉。解决

filter {
    mutate{
        remove_field => "host"
    }
    ...
}