Attempting to Install template

MKirby · November 10, 2021, 2:46pm

Good Morning Logstash experts.
As most of you know I have been working on injesting and being able to see the syslogs that are being sent directly to my logstash server. When I run a debug on my logstash I see the following:

[logstash.log][DEBUG] Attempting to install template {:template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
08:26:33.460
logstash.log
[logstash.log][DEBUG] Attempting to install template {:template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
08:26:33.464
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
08:26:33.467
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}

Looking at that it appears that it is trying to create a template but is not being able to do so. If I locate the "logstash" template that is being seen and delete it, will that solve my issue and allow me to view the syslogs that are being directed to my logstash?

MKirby · November 10, 2021, 6:58pm

More information, if it will help. The lines immediately following the 4 above regarding the Attempting to install template are:

[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
13:40:17.181
logstash.log
[logstash.log][INFO] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/logstash-sample.conf"], :thread=>"#<Thread:0x4977bfd3 run>"}
13:40:17.183
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
13:40:17.573
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.573
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "_ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.574
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.576
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_user", "password"=>"ES_User_pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c

So it looks like it is trying to use "logstash" as the index??? Am I reading it correctly?

Please help.

system · December 8, 2021, 6:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok patterns for syslog configuration in logstash Logstash	4	13223	June 25, 2017
Attempting to install template Logstash	3	667	July 31, 2019
Errors running logstash, bit of a newb Logstash	6	577	May 1, 2017
Failed to install template error Logstash	6	19008	October 25, 2017
Template PUT Failing Elasticsearch	3	3073	February 27, 2017

Attempting to Install template

Related topics