Attempting to Install template

MKirby · November 10, 2021, 2:46pm

Good Morning Logstash experts.
As most of you know I have been working on injesting and being able to see the syslogs that are being sent directly to my logstash server. When I run a debug on my logstash I see the following:

[logstash.log][DEBUG] Attempting to install template {:template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
08:26:33.460
logstash.log
[logstash.log][DEBUG] Attempting to install template {:template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
08:26:33.464
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
08:26:33.467
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}

Looking at that it appears that it is trying to create a template but is not being able to do so. If I locate the "logstash" template that is being seen and delete it, will that solve my issue and allow me to view the syslogs that are being directed to my logstash?

MKirby · November 10, 2021, 6:58pm

More information, if it will help. The lines immediately following the 4 above regarding the Attempting to install template are:

[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
13:40:17.181
logstash.log
[logstash.log][INFO] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/logstash-sample.conf"], :thread=>"#<Thread:0x4977bfd3 run>"}
13:40:17.183
logstash.log
[logstash.log][DEBUG] Found existing Elasticsearch template, skipping template management {:name=>"logstash"}
13:40:17.573
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.573
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "_ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.574
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_Addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_User", "password"=>"ES_User_Pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_User_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c
13:40:17.576
logstash.log
[logstash.log][DEBUG] Compiled output
 P[output-elasticsearch{"hosts"=>["http://ES_IP_addy:9200"], "index"=>"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}", "user"=>"ES_user", "password"=>"ES_User_pass"}|[file]/etc/logstash/logstash-sample.conf:22:3:```
elasticsearch {
    hosts => ["http://ES_IP_Addy:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "ES_User"
    password => "ES_Pass"
  }
```] 
 into 
 org.logstash.config.ir.compiler.ComputeStepSyntaxElement@3fdc2b9c

So it looks like it is trying to use "logstash" as the index??? Am I reading it correctly?

Please help.

system · December 8, 2021, 6:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok patterns for syslog configuration in logstash Logstash	4	13222	June 25, 2017
Failed to install template error Logstash	6	18995	October 25, 2017
Failing to PUT in an Index Template Elasticsearch	3	9977	August 20, 2018
Error while installing index templates Logstash	1	222	August 4, 2022
Logstash giving error while creating template - Failed to install template Got response code '400' contacting Elasticsearch at URL Logstash	1	587	July 18, 2022

Attempting to Install template

Related Topics