Can't create a new index on elastic with logstash

geppo · February 28, 2018, 2:05pm

Hi, is the first time for me that I use Logstash. I'm trying to index my apache log on localhost to a server. I can't see any error in /var/log/logstash/logstash-plain.log:

 [2018-02-28T14:45:29,984][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elastic:xxxxxx@127.0.0.1:9200/]}}
[2018-02-28T14:45:29,984][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elastic:xxxxxx@127.0.0.1:9200/, :path=>"/"}
[2018-02-28T14:45:30,016][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x29b767a2 URL:http://elastic:xxxxxx@127.0.0.1:9200/>}
[2018-02-28T14:45:30,016][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-02-28T14:45:30,020][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-02-28T14:45:30,023][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x7a3b87a4 URL://127.0.0.1>]}
[2018-02-28T14:45:30,061][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.1.1-java/vendor/GeoLite2-City.mmdb"}
[2018-02-28T14:45:30,200][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2018-02-28T14:45:30,280][INFO ][logstash.pipeline        ] Pipeline main started
[2018-02-28T14:45:30,305][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

My configuration:

/usr/share/logstash/logstash.conf :

input {
  file {
    path => ["/var/log/apache2/access.log"]
    type => "apache_access"
  }
  file {
    path => ["/var/log/apache2/error.log"]
    type => "apache_error"
  }
}
filter {
   if [type] in [ "apache" , "apache_access" , "apache-access" ]  {
      grok {
         match => [
         "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
         "message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
         ]
         overwrite => [ "message" ]
      }
      mutate {
         convert => ["response", "integer"]
         convert => ["bytes", "integer"]
         convert => ["responsetime", "float"]
      }
      geoip {
         source => "clientip"
         target => "geoip"
         add_tag => [ "apache-geoip" ]
      }
      date {
         match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
         remove_field => [ "timestamp" ]
      }
      useragent {
         source => "agent"
      }
   }
   if [type] in ["apache_error","apache-error"] {
      grok {
         match => ["message", "\[%{WORD:dayname} %{WORD:month} %{DATA:day} %{DATA:hour}:%{DATA:minute}:%{DATA:second} %{YEAR:year}\] \[%{NOTSPACE:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:message}"]
         overwrite => [ "message" ]
      }
      mutate
      {
         add_field =>
         {
            "time_stamp" => "%{day}/%{month}/%{year}:%{hour}:%{minute}:%{second}"
         }
      }
      date {
         match => ["time_stamp", "dd/MMM/YYYY:HH:mm:ss"]
         remove_field => [ "time_stamp","day","dayname","month","hour","minute","second","year"]
      }
   }
}
output {
 elasticsearch {
   hosts => ["http://172.16.251.121:9200/"]
   index => "apache-%{+YYYY.MM.dd}"
   document_type => "system_logs"
 }
 stdout { codec => rubydebug }
}

/etc/logstash/conf.d/02-apache-input.conf :

input {
 file {
   path => ["/var/log/apache2/access.log"]
   type => "apache_access"
 }
 file {
   path => ["/var/log/apache2/error.log"]
   type => "apache_error"
 }
}

/etc/logstash/conf.d/10-apache-filter.conf :

filter {
   if [type] in [ "apache" , "apache_access" , "apache-access" ]  {
      grok {
         match => [
         "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
         "message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
         ]
         overwrite => [ "message" ]
      }
      mutate {
         convert => ["response", "integer"]
         convert => ["bytes", "integer"]
         convert => ["responsetime", "float"]
      }
      geoip {
         source => "clientip"
         target => "geoip"
         add_tag => [ "apache-geoip" ]
      }
      date {
         match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
         remove_field => [ "timestamp" ]
      }
      useragent {
         source => "agent"
      }
   }
   if [type] in ["apache_error","apache-error"] {
      grok {
         match => ["message", "\[%{WORD:dayname} %{WORD:month} %{DATA:day} %{DATA:hour}:%{DATA:minute}:%{DATA:second} %{YEAR:year}\] \[%{NOTSPACE:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:message}"]
         overwrite => [ "message" ]
      }
      mutate
      {
         add_field =>
         {
            "time_stamp" => "%{day}/%{month}/%{year}:%{hour}:%{minute}:%{second}"
         }
      }
      date {
         match => ["time_stamp", "dd/MMM/YYYY:HH:mm:ss"]
         remove_field => [ "time_stamp","day","dayname","month","hour","minute","second","year"]
      }
   }
}

/etc/logstash/conf.d/30-elasticsearch-output.conf :

output {
 elasticsearch {
   hosts => ["http://172.16.251.121:9200/"]
   index => "apache-%{+YYYY.MM.dd}"
   document_type => "apache_logs"
 }
 stdout { codec => rubydebug }
}

Thanks in advance!

magnusbaeck · February 28, 2018, 2:24pm

Does the Logstash user have read access to the files? Are they being updated with new data? With the configuration you have Logstash will tail the files rather than read them from the top.

geppo · February 28, 2018, 2:44pm

Yes I had run sudo chmod -R 777 /var/log/apache2/ before starting logstash. No, the files are not being updated. What I should change in my conf to index all the content of these files? Thanks

magnusbaeck · February 28, 2018, 2:53pm

This is an extremely frequently asked question. Please read past posts and the file input documentation. Keywords: start_position, sincedb_path.

geppo · February 28, 2018, 3:04pm

Thanks a lot Magnus Bäck, I will search for that

system · March 28, 2018, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can’t create a new index in elasticsearch Elasticsearch	1	962	March 29, 2018
Can't create a new index in elasticsearch Logstash	2	395	March 29, 2018
Unable to create new indexe because of Logstash and ELastic error Elasticsearch	4	1395	September 3, 2018
Not creating a logstash index Logstash	4	384	September 12, 2018
Logstash not creating index on elasticsearch Logstash	5	4704	May 17, 2017

Can't create a new index on elastic with logstash

Related topics