Cannot parse file using Logstash on my Win10 system

clabnet · March 13, 2019, 10:45am

Hi, my first post here.
I'm using Logstash v. 6.6.0. My goal is to parse log using Grok patterns.

This is my start command:

logstash -f ../config/logstash.conf --verbose

This is my logstash.conf (very basic) :

input {
  file {
    path => ["D:\mypath\mylogfile.log"]
    sincedb_path => "nul"
    start_position => "beginning"
	type => "log"
  }
}

filter {
  mutate {
    add_tag => [ 'pippo' ]
  }
#  grok {
#    match => { "message" => "\A\[%{LOGLEVEL:level}\]\[%{TIMESTAMP_ISO8601:timestamp}]\[%{DATA:src}] - \[%{GREEDYDATA:message}\]" }
#	overwrite => [ "message" ]
#	tag_on_failure => true
#  }
}

output {
  stdout {
    codec => rubydebug
  }
}

A snippet of input file mylogfile.log:

[INFO ][2019-03-12 10:42:47,462][ClasspathHacker] - [Adding to class path: path=[file:/D:/archibus/Metro/trunk/archibus/WEB-INF/config/]]
[INFO ][2019-03-12 10:42:47,462][ClasspathHacker] - [Adding to class path: path=[file:/D:/archibus/Metro/trunk/archibus/WEB-INF/]]
[INFO ][2019-03-12 10:42:47,462][ClasspathHacker] - [Adding to class path: path=[file:/D:/archibus/Metro/trunk/archibus/WEB-INF/config/context/core/]]
[INFO ][2019-03-12 10:42:47,462][ClasspathHacker] - [Adding to class path: path=[file:/D:/archibus/Metro/trunk/archibus/WEB-INF/config/context/applications/]]
[INFO ][2019-03-12 10:42:47,468][ContextLoader] - [Root WebApplicationContext: initialization started]
[INFO ][2019-03-12 10:42:47,537][WebCentralContextLoaderListener] - [Initializing web application context]
[INFO ][2019-03-12 10:42:47,537][AbstractApplicationContext] - [Refreshing Root WebApplicationContext: startup date [Tue Mar 12 10:42:47 CET 2019]; root of context hierarchy]
[INFO ][2019-03-12 10:42:47,568][XmlBeanDefinitionReader] - [Loading XML bean definitions from ServletContext resource [/WEB-INF/config/context/appContext.xml]]
[INFO ][2019-03-12 10:42:47,708][XmlBeanDefinitionReader] - [Loading XML bean definitions from ServletContext resource [/WEB-INF/config/context/core/core.xml]]
[INFO ][2019-03-12 10:42:47,723][XmlBeanDefinitionReader] - [Loading XML bean definitions from ServletContext resource [/WEB-INF/config/context/core/core-services.xml]]

This is the result on console:

Sending Logstash logs to D:\Elastic\Logstash\logs which is now configured via log4j2.properties
[2019-03-13T11:25:38,171][WARN ][logstash.config.source.multilocal] Ignoring the    'pipelines.yml' file because modules or command line options are specified
[2019-03-13T11:25:38,186][INFO ][logstash.runner          ] Starting Logstash   {"logstash.version"=>"6.6.0"}
[2019-03-13T11:25:41,623][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-03-13T11:25:41,936][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x65d982c6 sleep>"}
[2019-03-13T11:25:41,968][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2019-03-13T11:25:41,968][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-03-13T11:25:42,198][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

I have tried also to create a new mylogfile-1.log, -2 etc, the result on console is the same.
I have commented the grok filter to simplify my command, same result.
No processing.

I'm missing a thing. What ?

Thank's

Badger · March 13, 2019, 10:55am

Use forward slash in filenames for the file input, not backslash. If that does not help then enable '--log.level trace' to see what filewatch is doing.

clabnet · March 13, 2019, 10:57am

The problem was the forward slash.
Grazie @Badger

system · April 10, 2019, 10:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.