hi all,
I am using logstash (rpm version 6.5.1) to ship logs into elasticsearch (rpm version 6.5.1). my configuration file is as following:
input {
file {
path => "/home/srahimi/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/logs/AdminServer.log"
}
}
output {
elasticsearch {
hosts => "http://192.168.170.153:9200"
user => "logstash_internal4"
password => "x-pack-test-password"
}
}
the logstash-plain.log is as following:
[2019-01-24T11:49:30,367][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.1"}
[2019-01-24T11:49:35,704][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-01-24T11:49:36,827][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://logstash_internal4:xxxxxx@192.168.170.153:9200/]}}
[2019-01-24T11:49:36,871][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_internal4:xxxxxx@192.168.170.153:9200/, :path=>"/"}
[2019-01-24T11:49:37,437][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://logstash_internal4:xxxxxx@192.168.170.153:9200/"}
[2019-01-24T11:49:37,544][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-01-24T11:49:37,552][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2019-01-24T11:49:37,605][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://192.168.170.153:9200"]}
[2019-01-24T11:49:37,636][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2019-01-24T11:49:37,824][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2019-01-24T11:49:38,188][INFO ][logstash.inputs.file ] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_1b5bd567e235b7530cc3ff70df0cb881", :path=>["/home/srahimi/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/logs/AdminServer.log"]}
[2019-01-24T11:49:38,270][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x28546579 run>"}
[2019-01-24T11:49:38,398][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-01-24T11:49:38,439][INFO ][filewatch.observingtail ] START, creating Discoverer, Watch with file and sincedb collections
[2019-01-24T11:49:38,989][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
the log of elasticsearch is as following which there is no error or message of creating the "logstash-*" template:
[2019-01-24T11:31:04,143][INFO ][o.e.g.GatewayService ] [node-1] recovered [43] indices into cluster_state
[2019-01-24T11:31:04,799][INFO ][o.e.x.w.WatcherService ] [node-1] reloading watcher, reason [new local watcher shard allocation ids], cancelled [0] queued tasks
[2019-01-24T11:31:07,677][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana_1][0], [.monitoring-kibana-6-2019.01.01][0], [.monitoring-es-6-2019.01.01][0]] ...]).
[2019-01-24T11:33:18,678][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [.management-beats] for index patterns [.management-beats]
[2019-01-24T11:33:20,815][INFO ][o.e.c.m.MetaDataCreateIndexService] [node-1] [.monitoring-kibana-6-2019.01.24] creating index, cause [auto(bulk api)], templates [.monitoring-kibana], shards [1]/[0], mappings [doc]
[2019-01-24T11:47:26,001][INFO ][o.e.x.s.a.u.TransportPutUserAction] [node-1] added user [logstash_internal4]
[2019-01-24T11:48:04,334][INFO ][o.e.x.s.a.r.TransportPutRoleAction] [node-1] added role [logstash_writer4]
and the role and user is defined as following:
POST _xpack/security/user/logstash_internal4
{
"password" : "x-pack-test-password",
"roles" : [ "logstash_writer4"],
"full_name" : "Internal Logstash User"
}
and
POST _xpack/security/role/logstash_writer4
{
"cluster": ["manage_index_templates", "monitor"],
"indices": [
{
"names": [ "logstash-*" ],
"privileges": ["write","delete","create_index"]
}
]
}
the problem is that there is no error in logstash log but, the index is not created in elasticsearch and i cannot find the index in kibana. any advice will be so appreciated.
notably, i used logstash-6.4.2.tar.gz to ship logs into elasticsearch (rpm installation of elasticsearch version 6.5.1) with same setting( same path of log, same user and role that mentioned above) and it can ship logs into elasticsearch and i can see the logs. it is so weird, why cannot i see logstash-* index in kibana and in elasticsearch logs in the case of rpm installation of logstash???