Develop Reference

Error pushing logs to elasticsearch using kafka as input for logstash

Below is my logstash config file logstash.conf. Lotstash reads logs from Kafka topic 'my_topic' and outputs it to elasticsearch index 'es-index'.
input {
kafka {
bootstrap_servers =>"kafka1.xxx:9092,kafka2.xxx:9092,kafka3.xxx:9092"
topics => ["my_topic"]
codec => "json"
group_id => "logstashgroup"
}
}
output {
elasticsearch {
hosts => ["es1.myhost:9200","es2.myhost:9200","es3.myhost:9200"]
user => "user123"
password => "password"
index => "es-index"
}
}
filter {
json {
source => "message"
skip_on_invalid_json => true
}
}
It worked fine for a few months but recently it started throwing the following errors:
[ERROR][logstash.outputs.elasticsearch] An unknown error occurred sending a bulk request to Elasticsearch. We will retry indefinitely {:error_message=>"Could not read from stream: Corrupt GZIP trailer", :error_class=>"Manticore::StreamClosedException"
and,
[FATAL][logstash.runner ] An unexpected error occurred! {:error=>org.apache.kafka.common.KafkaException: Received exception when fetching the next record from my_topic-1. If needed, please seek past the record to continue consumption., :backtrace=>["org.apache.kafka.clients.consumer.internals.Fetcher$PartitionRecords.fetchRecords(org/apache/kafka/clients/consumer/internals/Fetcher.java:1469)", "org.apache.kafka.clients.consumer.internals.Fetcher$PartitionRecords.access$1600(org/apache/kafka/clients/consumer/internals/Fetcher.java:1328)",
then,
[ERROR][logstash.javapipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Plugin: <LogStash::Inputs::Kafka codec=><LogStash::Codecs::JSON id=>"json_9a7a9d96-d7be-4292-a3de-67f797d22ab5"
then,
Error: Received exception when fetching the next record from my_topic-1. If needed, please seek past the record to continue consumption.
Exception: Java::OrgApacheKafkaCommon::KafkaException
and then logstash stops
[ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
I'm not sure what's the problem. I couldn't find anything relevant to solve the problem. Any help will be greatly appreciated.

Failed to execute action :action=>LogStash::PipelineAction::Create/pipeline_id:main

I have installed ELK stack version 7.0.0 on my CentOS7 VM and I faced with an issue during Logstash service start:
[ERROR] 2019-05-13 08:21:37.359 [Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"MultiJson::ParseError", :message=>"JrJackson::ParseError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/multi_json-1.13.1/lib/multi_json/adapter.rb:20:in load'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/multi_json-1.13.1/lib/multi_json.rb:122:inload'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/avro-1.8.2/lib/avro/schema.rb:36:in parse'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-avro-3.2.3-java/lib/logstash/codecs/avro.rb:69:inregister'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/base.rb:18:in initialize'", "org/logstash/plugins/PluginFactoryExt.java:255:inplugin'", "org/logstash/execution/JavaBasePipelineExt.java:50:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:23:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:inblock in converge_state'"]}
Please help to figure out a way to resolve this issue. Similar installation on another Centos VM is working fine.

I think you are cofiguration json format not parsing in logstash.yml file
put simple configuration like blow
input {
beats {
port => 5044
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["http://ip:9200"]
}
}

ELK: start logstash fails, illegalstateexception

Since my server could not access internet. I downloaded filebeat, logstash, elasticsearch and kibana's rpm format files.
I use command rpm -Uvh xxx.rpm to install filebeat logstash elasticsearch and kibana. Then I modified configuration. For logstash, I updated pipelines.yml and copy it to /etc/logstash/conf.d directory.
The piplelines.yml is as follows:
input {
beats {
port => "5044"
}
}
filter {
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:threadname}\] - %{LOGLEVEL:loglevel} - app-info-exception-info - params:%{SPACE}\{\"%{DATA:jsondata}\"\} %{DATA:excentionname}: %{DATA:exceptiondetail}\n(?m)%{GREEDYDATA:extralines}",
"(?<timestamp>[\d\-\s\:]+)\s\[(?<threadname>[\d\.\w\s\(\)\-]+)\]\s-\s(?<loglevel>[\w]+)\s+-\s(?<appinfo>app-info)\s-\s(?<systemmsg>[\w\d\:\{\}\,\-\(\)\s\"]+)",
"(?<timestamp>[\d\-\s\:]+)\s\[(?<threadname>[\d\.\w\s\(\)\-]+)\]\s-\s(?<loglevel>[\w]+)\s+-\s+(?<systemmsg>[\s\.\w\-\'\:\d\[\]\/]+)"
]
}
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost:9200" ]
index => "ykt"
}
}
From /var/log/, I could see filebeat, elasticsearch are fine. But in logstash's logstash-plain.log, there are error messages:
[2018-06-20T20:21:54,138][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
[2018-06-20T20:22:07,642][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
[2018-06-20T20:22:21,299][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
[2018-06-20T20:22:34,572][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
[2018-06-20T20:22:48,019][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
After updation yml/configuration, I do
systemctl daemon-reload
systemctl restart logstash
I do not why there is illegalStateException. Any help?

LogStash setup LoadError

I'm trying to set up LogStash and I'm following this tutorial exactly. But when I run command
bin/logstash -e 'input { stdin { } } output { stdout {} }'
it gives me the following error:
warning: --1.9 ignored
LoadError: no such file to load -- bundler
require at org/jruby/RubyKernel.java:940
require at C:/jruby-9.0.0.0/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:54
setup! at C:/Users/ryan.dai/Desktop/logstash-1.5.3/lib/bootstrap/bundler.rb:43
<top> at c:/Users/ryan.dai/Desktop/logstash-1.5.3/lib/bootstrap/environment.rb:46
I tried jruby -S gem install bundler as suggested from someone else but it doesn't work. Totally new to Ruby, what is happening and what should I do?

You can fallow the below URL for installing entire ELK Setup.
Here you need to pass the file(log) as a path to the input of the logstash configuration.
input {
file {
path => "/tmp/access_log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
ELK Setup Installtion
Commands for running with CMD Prompt:
logstash -f logstash.conf for running logstash
logstash --configtest -f logstash.conf for configuration test
logstash --debug -f logstash.conf for debug the logstash configuration
Logstash configuration Examples

Logstash got error to send bulk of actions to elasticsearch server at localhost on Windows

I wrote a .conf file as in the example given in the Logstash documentation and tried to run it. Logstash started but when I gave the input it gave the error as mentioned in the title.
I am using Windows 8.1 and the .conf file in saved in the logstash-1.5.0/bin.
Here is the .conf file:
input { stdin { } }
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
Here is the screenshot of the command prompt:

Try with this, "logstash" should be the same name of your cluster in Elasticsearch.yml
output {
elasticsearch {
cluster => "logstash"
}
}

I found the error. It was because I have not installed elasticsearch before running logstash.
Thanks for trying to helping me out