Config error from logstash 5.6 to 6.7 migration

mkain · April 4, 2019, 6:13am

Hi,

On Logstash 5.6 I have following working config.

input {
    tcp {
       port => 514
       type => syslog
    }
    udp {
       port => 514
       type => syslog
    }
}

filter {
    if [type] == "syslog" {
    grok {
         match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
         add_field => [ "received_from", "%{host}" ]
         }
    }
}

output {
       elasticsearch {
       hosts => ["127.0.0.1:9200"]
}

       stdout { codec => rubydebug }
}

When I am using same config on logstash 6.7 I get following error:

[2019-04-04T07:12:37,618][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.7.0"}
[2019-04-04T07:12:38,116][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 6, column 1 (byte 132) after ## JVM configuration\n\n# Xms represents the initial size of total heap space\n# Xmx represents the maximum size of total heap space\n\n", :backtrace=>["/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/pipeline_action/create.rb:43:in `block in execute'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:96:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in `synchronize'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:96:in `exclusive'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/pipeline_action/create.rb:39:in `execute'", "/opt/elk/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}
[2019-04-04T07:12:38,267][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Can you please help me to identify and fix this problem ?

Regards,
-Manish

Badger · April 4, 2019, 12:24pm

That suggests that logstash is reading jvm.options as part of the logstash configuration. What command line are you using to start logstash? Are you trying to use -f or pipelines.yml?

mkain · April 5, 2019, 4:12am

Yes, that was the problem. I had placed my logstash-syslog config in logstash config dir where jvmoptions and other files exist. Now I have created another dir within config as conf and have moved logstash-syslog config in config/conf and I am able to start process successfully.

Thanks for pointing it out.

Regards,
-Manish

system · May 3, 2019, 4:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.