I am trying Consume data From RabbitMQ To Elasticsearch, and I followed this tutorial https://akintola-lonlon.medium.com/logstash-5-easy-steps-to-consume-data-from-rabbitmq-to-elasticsearch-8fb0eb6e9196
this is my rabbitmq quque
This is my logstash-rabbitmq.conf
input {
rabbitmq {
id => "rabbitmq_logs"
host => "localhost"
port => 5672
vhost => "/"
queue => "system_logs"
ack => false
}
}
filter {
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
date {
match => ["timestamp", "dd/MM/yyyy:HH:mm:ss Z"]
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logstash_rabbit_mq_hello"
}
stdout {
codec => rubydebug
}
}
Then I try to run sudo bin/logstash -f conf.d/logstash-rabbitmq.conf I get flowing error
[2022-10-17T10:08:43,917][WARN ][logstash.inputs.rabbitmq ][main][rabbitmq_logs] Error while setting up connection, will retry {:exception=>MarchHare::PreconditionFailed, :message=>"PRECONDITION_FAILED - inequivalent arg 'durable' for queue 'system_logs' in vhost '/': received 'false' but current is 'true'", :cause=>#<Java::JavaIo::IOException: >}
[2022-10-17T10:08:43,917][WARN ][logstash.inputs.rabbitmq ][main][rabbitmq_logs] RabbitMQ connection was closed {:url=>"amqp://guest:XXXXXX#localhost:5672/", :automatic_recovery=>true, :cause=>#<Java::ComRabbitmqClient::ShutdownSignalException: clean connection shutdown; protocol method: #method<connection.close>(reply-code=200, reply-text=OK, class-id=0, method-id=0)>}
[2022-10-17T10:08:44,929][INFO ][logstash.inputs.rabbitmq ][main][rabbitmq_logs] Connected to RabbitMQ {:url=>"amqp://guest:XXXXXX#localhost:5672/"}
how can I fix this problem?
I am a beginner in RabbitMQ and ELK, pleas help me
I want to send data to 2 endpoint from logstash, one of which is HTTP endpoint & other is HTTPS.
I tried putting username & password for HTTPS endpoint in url itself but logstash is taking those fields [username & password] for the other endpoint also.
my current output field if like:
output {
elasticsearch{
index => "index_name"
document_id => "%{index_id}"
hosts => ["https://elastic:pass#clusterid.asia-northeast1.gcp.cloud.es.io:9243",
"http://127.0.0.1:9200"]
}
}
Getting this message in logs:
Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx#clusterid.asia-northeast1.gcp.cloud.es.io:9243/, https://elastic:xxxxxx#127.0.0.1:9200/]}}
And this:
[logstash.agent] Failed to execute action {:id=>:"cloud-elastic", :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<cloud-elastic>, action_result: false", :backtrace=>nil}
please try using different elasticsearch output for https and http,below settings
if "Https" in [tag]{
elasticsearch {
hosts => [ "https://elastic:pass#clusterid.asia-northeast1.gcp.cloud.es.io:9243" ]
user => "${ES_USER:admin}"
password => "${ES_PWD:admin}"
ssl => true
ssl_certificate_verification => false
cacert => "${CERTS_DIR}/certs/ca.crt"
index => "%{[docInfo][index]}"
action => "index"
}
} else {
elasticsearch {
hosts => [ "http://127.0.0.1:9200" ]
index => "%{[docInfo][index]}"
action => "index"
}
}
In .bashrc file
set the below environment variables
export ES_USER=elastic
export ES_PWD=pass
export CERTS_DIR=/home/abc
Im trying to read logs from rabbitmq queue from logstash and then pass it to elasticsearch. But with no success. Here is my logstash config.
input {
rabbitmq {
host => "localhost"
port => 15672
heartbeat => 30
durable => true
exchange => "logging_queue"
exchange_type => "logging_queue"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
}
stdout {}
}
But there is no index created so ofcourse I cant see any logs in Kibana
There are some messages in queue
I think the correct (default) port is 5672, as 15672 is the port of the web admin console.
input {
rabbitmq {
host => "localhost"
port => 5672 <--- change this
heartbeat => 30
durable => true
exchange => "logging_queue"
exchange_type => "logging_queue"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
}
stdout {}
}
I'm Unable to load index to elasticsearch using logstash. The follwing are my logstash.conf settings. To me config settings seems fine. Please help if I'm missing something.
Assume that Logstash & elastic search services are running fine.
input {
file {
type => "IISLog"
path => "C:/inetpub/logs/LogFiles/W3SVC1/u_ex140930.log"
start_postition => "beginning"
}
}
output {
stdout { debug => true debug_format => "ruby"}
elasticsearch_http {
host => "localhost"
port => 9200
protocol => "http"
index => "iislogs2"
}
}
You can start with checking the following:
Check the logstash log file for errors.
Run the following command:telnet localhost 9200 and verify you are able to connect.
Check elasticsearch log files for errors.
I am trying to connect Logstash with Elasticsearch but cannot get it working.
Here is my logstash conf:
input {
stdin {
type => "stdin-type"
}
file {
type => "syslog-ng"
# Wildcards work, here :)
path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
}
}
output {
stdout { }
elasticsearch{
type => "all"
embedded => false
host => "192.168.0.23"
port => "9300"
cluster => "logstash-cluster"
node_name => "logstash"
}
}
And I only changed these details in my elasticsearch.yml
cluster.name: logstash-cluster
node.name: "logstash"
node.master: false
network.bind_host: 192.168.0.23
network.publish_host: 192.168.0.23
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["localhost"]
With these configurations I could not make Logstash connect to ES. Can someone please suggest where I am going wrong?
First, I suggest matching your "type" attributes up.
In your input you have 2 different types, and in your output you have a type that doesn't exists in any of your inputs.
For testing, change your output to:
output {
stdout { }
elasticsearch{
type => "stdin-type"
embedded => false
host => "192.168.0.23"
port => "9300"
cluster => "logstash-cluster"
node_name => "logstash"
}
}
Then,have you created an index on your ES instance?
From the guides I've used, and my own experience (others may have another way that works) I've always used an index so that when I push something into ES, I can use the ES API and quickly check if the data has gone in or not.
Another suggestion would be to simply run your Logstash forwarder and indexer with debug flags to see what is going on behind the scenes.
Can you connect to your ES instance on 127.0.0.1? Also, try to experiment with the port and host. As a rather new user of the Logstash system, I found that my understanding at the start went against the reality of the setup. Sometimes the host IP isn't what you think it is, as well as the port. If you are willing to check your network and identify listening ports and IPs, then you can sort this out, otherwise do some intelligent trial and error.
I highly recommend this guide as a comprehensive starting point. Both points I've mentioned are (in)directly touched upon in the guide. While the guide has a slightly more complex starting point, the ideas and concepts are thorough.
I could not make Logstash connect to ES
This happened to me when my logstash and elasticsearch versions were out of sync
from the docs:
VERSION NOTE: Your Elasticsearch cluster must be running Elasticsearch
1.1.1. If you use any other version of Elasticsearch, you should set protocol => http in this plugin.
Setting protocol => http explicitly as outlined above fixed it for me.
As Adam said, the thing was the protocol setting, so only for testing I did:
logstash -e 'input { stdin { } } output { elasticsearch { host => localhost protocol => "http" port => "9200" } }'
And that seems to be working on OSX. Issue here.
Following is tested on
elasticsearch:5.4.0
and
logstash:5.4.0
(I have use docker container on OpenStack)
For Elasticsearch :
/usr/share/elasticsearch/config/elasticsearch.yml should look like as follows -
cluster.name: "docker-cluster"
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
No change in any other files of /usr/share/elasticsearch/config/ is required
Run Elasticsearch using simple command -
sudo docker run --name elasticsearch -p 9200:9200 docker.elastic.co/elasticsearch/elasticsearch:5.4.0
For Logstash :
/usr/share/logstash/config/logstash.yml should look like as follows -
http.host: "0.0.0.0"
path.config: /usr/share/logstash/pipeline
# http://111.*.*.11:9200 is the IP & Port of Elasticsearch's server
xpack.monitoring.elasticsearch.url: http://111.*.*.11:9200
# "elastic" is the user name of Elasticsearch's account
xpack.monitoring.elasticsearch.username: elastic
# "changeme" is the password of Elasticsearch's "elastic" user
xpack.monitoring.elasticsearch.password: changeme
No change in any other files of /usr/share/logstash/config/ is required
/usr/share/logstash/pipeline/logstash.conf should look like as follows -
input {
file {
path => "/usr/share/logstash/test_i.log"
}
}
output {
elasticsearch {
# http://111.*.*.11:9200 is the IP & Port of Elasticsearch's server
hosts => ["http://111.*.*.11:9200"]
# "elastic" is the user name of Elasticsearch's account
user => "elastic"
# "changeme" is the password of Elasticsearch's "elastic" user
password => "changeme"
}
}
Run Logstash using simple command -
sudo docker run --name logstash --expose 25826 -p 25826:25826 docker.elastic.co/logstash/logstash:5.4.0 --debug
NOTE : Need not to do any configuration before running Docker containers. At first run the container using simple commands as mentioned above. Then go to corresponding dir, make the required changes, save it, exit container & restart the container, changes will be reflected.
I have had the same error message, and it took me a while to discover in the TRACE log of elasticsearch's discovery process that the ip address logstash was using was incorrect.
I had several ip addresses and logstash used the wrong one. After that, everything went okay.
First,you don't need to create an index in ES.
Because,you don`t need to create "index" in elasticsearch;when the logstash assign the index,the index will be created automatically.
By the way,if you did not set the index value,it will be set as default value as "logstash-%{+YYYY.MM.dd}"
(you can check this in logstash offcial guide)~
Second,you may not keep your "elastic type" the same type as your "input type";you can also write your output like this:
output {
stdout { }
elasticsearch{
embedded => false
host => "192.168.0.23"
port => "9300"
index => "a_new_index"
cluster => "logstash-cluster"
node_name => "logstash"
document_type =>"my-own-type"
}
}
With the "document_type",you can save your logs into the any type you want~
Finally,if you don`t want to assign the "document_type";it will be set the same with your "input type"
Or even you forget to assign type in "all of the configuration file";the type will be set as default value as logs~
OK,enjoy it~
I have a two node cluster of elastisearch, and only one for logstatsh.
This config works for me:
Node elk1:
#/etc/elasticsearch/elasticsearch.yml
script.disable_dynamic: true
cluster.name: elk-fibra
node.name: "elk1"
node.master: true
node.data: true
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["elk1.lab.fibra"]
root#elk1:
#/etc/logstash/conf.d/30-lumberjack-output.conf
output {
elasticsearch { host => localhost protocol => "http" port => "9200" }
stdout { codec => rubydebug }
}
Node elk2:
#/etc/elasticsearch/elasticsearch.yml
script.disable_dynamic: true
cluster.name: elk-fibra
node.name: "elk2"
node.master: false
node.data: true
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["elk1.lab.fibra"]
input => Logstash
output => ElasticSearch
input{
http {
port => 5044
response_headers => {
"Access-Control-Allow-Origin" => "*"
"Content-Type" => "text/plain"
"Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept"
}
}
}
output{
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "logstash-%{+YYYY.MM.dd}"
user => elastic
password => ****
}