_grokparsefailure and missing events when using Logstash Forwarder

incogniro · November 2, 2015, 2:30pm

I have a strange issue in which all events sent to Logstash via Logstash Forwarder using the Lumberjack input plugin are not indexed at all (completely missing, no indexes created in ElasticSearch) and a subset of the events result in _grokparsefailure. However when the files are processed on the Logstash server locally using the File input plugin there is no issues and the indexes are created in ElasticSearch.

Input and output configurations are:
input { # lumberjack { # port => 6782 # ssl_certificate => '/etc/pki/tls/certs/logstash-forwarder.crt' # ssl_key => '/etc/pki/tls/private/logstash-forwarder.key' # }

file {
path => '/tmp/all-fuse-logs/*'
start_position => 'beginning'
type => 'karaf'
sincedb_path => '/tmp/csms.sincedb'
}
}
elasticsearch { # Store event in datastore.
host => 'abc-log.def.ghi'
index => "logstash-%{+YYYY.MM.dd}-%{host}-%{type}"
}

Has anyone any idea what is going on and how I may proceed?

Thanks,

magnusbaeck · November 2, 2015, 2:32pm

Comment out the ES output and use a straight stdout { codec => rubydebug } to understand more of what's happening.

incogniro · November 2, 2015, 2:54pm

Hi Magnus, also note that when I alter the matching pattern to:
match => [ 'message', "%{GREEDYDATA:text}" ]
I still receive _grokparsefailure when using the Logstash Forwarder shipper.
I will give your suggestion a try.

Topic		Replies	Views
Lumberjack loosing grokked fields? Elasticsearch	1	317	July 6, 2017
Documents not in elasticsearch Logstash	4	348	July 6, 2017
Documents not in elasticsearch from logstash Elasticsearch	6	756	July 5, 2017
Problem with Logstash, don't start getting message "Exception in lumberjack input" Logstash	4	3092	July 6, 2017
LS -> LS (Lumberjack) - documents not being indexed? Logstash	13	672	September 11, 2018

_grokparsefailure and missing events when using Logstash Forwarder

Related topics