Conf file just sits and waits forever.... Windows


(OpSec Monkey) #1

Good morning/afternoon everyone.

I have recently started a fresh install with Windows 10 using 6.6.0 everything. ElasticSearch, Logstash and Kibana.
I got everything working installed but I am having a issue with my config file just sitting and waiting in powershell.

Here is my config file

input {
file {
path => "C:\Users\XXX\Documents\Split\*.*"
start_position => "beginning"
sincedb_path => "NUL"
}
}
filter {
csv {
separator => ","
}
}

output {
elasticsearch {
hosts => "localhost:9200"
index => "xxxxx"
document_type => "xxxx"
}
stdout { codec => rubydebug }
}

I thought everything looked good up there. I have roughly 13000 CSV files this time so I added the . to the end.
When I run

PS C:\Windows\system32> C:\ELK\logstash\bin\logstash.bat -f C:\ELK\logstash\config\email.conf

I get
Sending Logstash logs to C:/ELK/logstash/logs which is now configured via log4j2.properties
[2019-02-04T11:13:44,962][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-04T11:13:45,009][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.6.0"}
[2019-02-04T11:13:56,634][ERROR][logstash.inputs.file ] Unknown setting 'since_path' for file
[2019-02-04T11:13:56,665][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Something is wrong with your configuration.", :backtrace=>["C:/ELK/logstash/logstash-core/lib/logstash/config/mixin.rb:86:in config_init'", "C:/ELK/logstash/logstash-core/lib/logstash/inputs/base.rb:60:ininitialize'", "org/logstash/plugins/PluginFactoryExt.java:251:in plugin'", "org/logstash/plugins/PluginFactoryExt.java:181:inplugin'", "C:/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:71:in plugin'", "(eval):8:in'", "org/jruby/RubyKernel.java:994:in eval'", "C:/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:49:ininitialize'", "C:/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:90:in initialize'", "C:/ELK/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:42:inblock in execute'", "C:/ELK/logstash/logstash-core/lib/logstash/agent.rb:92:in block in exclusive'", "org/jruby/ext/thread/Mutex.java:148:insynchronize'", "C:/ELK/logstash/logstash-core/lib/logstash/agent.rb:92:in exclusive'", "C:/ELK/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:inexecute'", "C:/ELK/logstash/logstash-core/lib/logstash/agent.rb:317:in `block in converge_state'"]}
[2019-02-04T11:13:57,259][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

Anyone have any ideas what I can be doing wrong?


#2

That should be sincedb_path, rather than since_path.


(OpSec Monkey) #3

@Badger Hello my friend.

I fixed that shortly after I posted this and I still get the same thing.

PS C:\Windows\system32> C:\ELK\logstash\bin\logstash.bat -f C:\ELK\logstash\config\email.conf
Sending Logstash logs to C:/ELK/logstash/logs which is now configured via log4j2.properties
[2019-02-04T13:18:28,396][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-04T13:18:28,490][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.6.0"}
[2019-02-04T13:19:01,302][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch index=>"account", id=>"48b537922c72dc19520ddc9b98bc994e8bbda37b593856c65f53c546e5d424ba", hosts=>[//localhost:9200], document_type=>"account", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_3e19c91e-21aa-4715-a5ed-b72f77847dcf", enable_metric=>true, charset=>"UTF-8">, workers=>1, manage_template=>true, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, ilm_enabled=>false, ilm_rollover_alias=>"logstash", ilm_pattern=>"{now/d}-000001", ilm_policy=>"logstash-policy", action=>"index", ssl_certificate_verification=>true, sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
[2019-02-04T13:19:06,611][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-02-04T13:19:07,517][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2019-02-04T13:19:08,048][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2019-02-04T13:19:08,595][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-02-04T13:19:08,595][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2019-02-04T13:19:08,689][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2019-02-04T13:19:08,720][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2019-02-04T13:19:08,845][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2019-02-04T13:19:10,533][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x19b811e3 sleep>"}
[2019-02-04T13:19:10,642][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-02-04T13:19:10,673][INFO ][filewatch.observingtail  ] START, creating Discoverer, Watch with file and sincedb collections
[2019-02-04T13:19:11,283][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

So thats what I get now. Its just sitting there waiting and doing nothing. The _ just keeps flashing so I guess that means its doing something but not sure what.


#4

Enable --log.level trace and see what filewatch is doing.

See this post if you want to selectively enable trace level logging.


(OpSec Monkey) #5

I will figure out how to do that in windows and I will post shortly


(Guy Boertje) #6

I suspect that Logstash is treating the backslashes as escape characters.
path => "C:\Users\XXX\Documents\Split\*.*"

Try path => "C:\\Users\\XXX\\Documents\\Split\\*.*"
or path => "C:/Users/XXX/Documents/Split/*.*"


(OpSec Monkey) #7

I got it working. Thank you :slight_smile:


(Guy Boertje) #8

Which one worked for you?


#9

I've had the same issue with Windows, for me the solution was:
path => "C:/Users/XXX/Documents/Split/*.*"