ELb logs from s3 to ELK server

Suresh_Pal · May 24, 2018, 2:14pm

I'm trying to ship my elb logs from the s3 bucket to ELK server. I'm getting following error

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/s3_elb_logs.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-05-24 09:37:20.484 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2018-05-24 09:37:20.489 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2018-05-24 09:37:20.883 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2018-05-24 09:37:21.069 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2018-05-24 09:37:21.204 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[ERROR] 2018-05-24 09:37:21.294 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, ", ', -, [, { at line 2, column 12 (byte 24) after input {s3 {\n bucket => ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:in block in converge_state'", "org/jruby/RubyArray.java:1734:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:inblock in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

.conf file is

input {s3 {
bucket => “fcalb-logs”
prefix => "/"
region => “us-east-1”
type => “elblogs”
codec => plain
secret_access_key => “”
access_key_id => “”
}
}
filter {
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} (?:-|%{INT:elb_status_code:int}) (?:-|%{INT:backend_status_code:int}) %{INT:received_bytes:int} %{INT:sent_bytes:int} "%{ELB_REQUEST_LINE}" "(?:-|%{DATA:user_agent})" (?:-|%{NOTSPACE:ssl_cipher}) (?:-|%{NOTSPACE:ssl_protocol})" ]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }

magnusbaeck · May 27, 2018, 8:00pm

If you look carefully you'll see that the quotes around e.g. "fcalb-logs" aren't straight but curly.

https://practicaltypography.com/straight-and-curly-quotes.html

Suresh_Pal · May 29, 2018, 6:29am

Thanks @magnusbaeck , It works fine now.

I have one more question,

I'm not able to create index in my kibana though i have that index in my elasticsearch. Below are the steps i'm performing while creating index in kibana.

Step 1 of 2: Define index pattern

Here my index is showing correctly.

Step 2 of 2: Configure settings

after configuring setting and clicking on create index, its not creating index. Please help

magnusbaeck · May 29, 2018, 7:45am

For new questions I suggest you create new topics instead of continuing old ones.

after configuring setting and clicking on create index, its not creating index.

That screen creates index patterns. It does not create indexes. I'm not sure whether you actually have an issue or if it's just a case of incorrect expectations.

system · June 26, 2018, 7:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error while connecting to Amazon Elasticsearch Logstash	1	803	June 10, 2020
Logstatsh issue related to stdout Logstash	5	314	May 15, 2018
Logstash is not able to connect to ELasticsearch Logstash	13	1637	September 30, 2021
Logstash s3 elb config into existing ELK stack Logstash	3	2323	July 6, 2017
Data not getting indexed in elastic search Logstash	8	328	May 14, 2018

ELb logs from s3 to ELK server

Related topics