Logstash not matching the pattern - elasticsearch

I was learning logstash. Have a very simple config file..
input {
file {
path => "D:\b.log"
start_position => beginning
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
grok {
match => { "message" => "%{LOGLEVEL:loglevel}" }
}
}
output {
stdout { codec => rubydebug }
}
The input file is just this:
INFO
I am running logstash on windows and the command is
logstash -f logstash.conf
I expect the output to be shown on the console to ensure that its working. But logstash produces no output, just the logstash config messages..
D:\Installables\logstash-2.0.0\logstash-2.0.0\bin>logstash -f logstash.conf
io/console not supported; tty will not be manipulated
Default settings used: Filter workers: 2
Logstash startup completed
I have deleted the sincedb file and tried. Is there something that i am missing?

I think this answers your question:
How to force Logstash to reparse a file?
It looks like you are missing the quotes around "beginning" and the other post recommends redirecting sincedb to dev/null. I don't know if there is a windows equivalent for that. I did use that as well, and it worked fine.
As an alternative, what I do now is to configure stdin() as input so that I don't have to worry about anything else.

Related

Unable to start Logstash server and throwing error

I want to pass log file as an input to a Logstash input. I have added /bin to the environment variable path so that I can access it from anywhere.
Below is my conf file:
logstash.conf
input{
path => "D:\nest\es-logging-example\log\info\info.log"
start_position => beginning
}
output{
elasticsearch{
hosts => ["localhost:9200"]
index => "indexforlogstash"
}
}
After running this using logstash -f "D:\nest\es-logging-example\logstash.conf" its showing below error in terminal.
`
[2022-03-15T16:14:49,851][ERROR][logstash.agent ] Failed to
execute action
{:action=>LogStash::PipelineAction::Create/pipeline_id:main,
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of [
\\t\\r\\n], \"#\", \"{\" at line 2, column 11 (byte 19) after input{\r\n
path ", :backtrace=>["C:/logstash-8.1.0/logstash-
core/lib/logstash/compiler.rb:32:in `compile_imperative'",
"org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'",
"org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'",
"C:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:47:in
`initialize'", "C:/logstash-8.1.0/logstash-
core/lib/logstash/pipeline_action/create.rb:50:in `execute'",
"C:/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:376:in `block in
converge_state'"]}`
What is this error about?
I think your problem is that the \ is an escape character in the quoted string in your config file.
Can you change
path => "D:\nest\es-logging-example\log\info\info.log"
to
path => "D:\\nest\\es-logging-example\\log\\info\\info.log"
So the \ characters in the path are escaped.
There's no configuration found in C:\logstash-8.1.0\logstash.conf
Specify the absolute path where your logstash.cong file is located instead:
logstash -f "D:\\nest\\es-logging-example\\logstash.conf"
You also need to modify your config file as follows
path => "D:\\nest\\es-logging-example\\log\\info\\info.log"
Your configuration is wrong, you need to specify which input plugin you are using, which based on what you shared is the file input plugin.
Also, you need to use forward slashes.
Try the following:
input {
file {
path => "D:/nest/es-logging-example/log/info/info.log"
start_position => beginning
}
}

Trying to set logstash conf file in docker-compose.yml on Mac OS

Here is what I have specified in my yml for the logstash. I've tried multiple variations of quotes, no quotes, etc:
volumes:
- "./logstash:/etc/logstash/conf:ro"
command:
- "logstash -f /etc/logstash/conf/simplels.conf"
And simplels.conf contains this:
input {
stdin{}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout{}
}
Overall file structure is this, I'm running docker-compose up from the docker folder and getting Exit 1 on the Logstash container due to my 'command' parameter:
/docker:
docker-compose.yml
/logstash
simplels.conf

Environment variable in Logstash not being parsed correctly

I come here after reading How to reference environment variables in logstash configuration file?.
Unfortunately it did not work for me.
I am running:
bin/logstash -f my_filters.conf --debug
And my config file is:
input {
file {
path => "/tmp/${RUN_ID}/*.txt"
start_position => beginning
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "${RUN_ID}"
}
}
And no new index is being created.
This is after setting:
export RUN_ID=500
For example.
If I change my config to have a hard-coded value (e.g. 500), then the index is created without a problem.
I have read the documentation and it mentions exactly what I'm doing right now...
What am I doing wrong, how can I get the environment variable working?
Logstash 2.4 requires a command line argument of --allow-env to do environment substitutions.
Without the flag it doesn't complain (but doesn't work)
bin/logstash -f test.conf
Settings: Default pipeline workers: 8
Pipeline main started
With the flag, it will complain if you don't set it:
bin/logstash --allow-env -f test.conf
fetched an invalid config {:config=>"input {\n file {\n path => \"/tmp/${RUN_ID}/*.txt\"\n start_position => beginning\n sincedb_path => \"/dev/null\"\n ignore_older => 0\n }\n}\n\noutput {\nstdout { codec=>rubydebug}\n elasticsearch {\n hosts => [ \"localhost:9200\" ]\n index => \"${RUN_ID}\"\n }\n}\n\n\n", :reason=>"Cannot evaluate `${RUN_ID}`. Environment variable `RUN_ID` is not set and there is no default value given.", :level=>:error}
And of course with the argument and flag, everything works right:
export RUN_ID=10
bin/logstash --allow-env -f test.conf
Pipeline main started
{
"message" => "asdfasdf",
"#version" => "1",
"#timestamp" => "2016-11-01T21:10:15.964Z",
"path" => "/tmp/10/test.txt",
"host" => "XXXXXXXXX.local"
}

How to read /var/log/wtmp logs in elasticsearch

I am trying to read the access log s from /var/log/wtmp in elasticsearch
I can read the file when logged into the box by using last -F /var/log/wtmp
I have logstash running and sending logs to elasticsearch, here is logstash conf file.
input {
file {
path => "/var/log/wtmp"
start_position => "beginning"
}
}
output {
elasticsearch {
host => localhost
protocol => "http"
port => "9200"
}
}
what is showing in elasticsearch is
G
Once i opened the file using less , i could only see binary data.
Now logstash cant understand this data.
A logstash file like the following should work fine -
input {
pipe {
command => "/usr/bin/last -f /var/log/wtmp"
}
}
output {
elasticsearch {
host => localhost
protocol => "http"
port => "9200"
}
}
Vineeth's answer is right but the following cleaner config works as well:
input { pipe { command => "last" } }
last /var/log/wtmp and last are exactly the same.
utmp, wtmp, btmp are Unix files that keep track of user logins and logouts. They cannot be read directly because they are not regular text files. However, there is the last command which displays the information of /var/log/wtmp in plain text.
$ last --help
Usage:
last [options] [<username>...] [<tty>...]
I can read the file when logged into the box by using last -F /var/log/wtmp
I doubt that. What the -F flag does:
-F, --fulltimes print full login and logout times and dates
So, last -F /var/log/wtmp will interpret /var/log/wtmp as a username and won't print any login information.
What the -f flag does:
-f, --file <file> use a specific file instead of /var/log/wtmp

input as file path in logstash config

When I run a command like this(on a Windows System):
logstash agent -f logstash-simple.conf
When the logstash config file had input as stdin{} it gave the expected output but when the input was a path to the input file (file{path=>})
it didn't give any output.
Here is my config(logstash-simple.conf) file:
input {
file{
type=>"syslog"
path=>["C:/Users/Administrator/Downloads/syslog.txt"]
}
}
output {
stdout {
codec => rubydebug
}
}
If you have an existing file that you are looking to load, you'll need to add
start_postition => beginning
to your file input.
I had the same problem.
You should have an empty line at the end of the file!
that worked for me

Resources