_grokparsefailure and missing events when using Logstash Forwarder

incogniro · November 2, 2015, 2:30pm

I have a strange issue in which all events sent to Logstash via Logstash Forwarder using the Lumberjack input plugin are not indexed at all (completely missing, no indexes created in ElasticSearch) and a subset of the events result in _grokparsefailure. However when the files are processed on the Logstash server locally using the File input plugin there is no issues and the indexes are created in ElasticSearch.

Input and output configurations are:
input { # lumberjack { # port => 6782 # ssl_certificate => '/etc/pki/tls/certs/logstash-forwarder.crt' # ssl_key => '/etc/pki/tls/private/logstash-forwarder.key' # }

file {
path => '/tmp/all-fuse-logs/*'
start_position => 'beginning'
type => 'karaf'
sincedb_path => '/tmp/csms.sincedb'
}
}
elasticsearch { # Store event in datastore.
host => 'abc-log.def.ghi'
index => "logstash-%{+YYYY.MM.dd}-%{host}-%{type}"
}

Has anyone any idea what is going on and how I may proceed?

Thanks,

magnusbaeck · November 2, 2015, 2:32pm

Comment out the ES output and use a straight stdout { codec => rubydebug } to understand more of what's happening.

incogniro · November 2, 2015, 2:54pm

Hi Magnus, also note that when I alter the matching pattern to:
match => [ 'message', "%{GREEDYDATA:text}" ]
I still receive _grokparsefailure when using the Logstash Forwarder shipper.
I will give your suggestion a try.

Topic		Replies	Views
Problem with Logstash, don't start getting message "Exception in lumberjack input" Logstash	4	3092	July 6, 2017
Elasticsearch input missing [@metadata][_index] Logstash	14	2336	April 15, 2020
Some fields missing Logstash	6	1930	July 6, 2017
Missing event while report to elastic search Logstash	1	430	May 14, 2020
Logstash does not index event to elastic due to issue on host field Logstash	6	516	January 8, 2021

_grokparsefailure and missing events when using Logstash Forwarder

Related Topics