[ERROR] 2019-01-08 10:18:42.313 [main] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

Dv_Thiyanesh · January 8, 2019, 5:02am

I have an error at first i have run the config for beasts but now just for checking it's shows an error like this(in windows)
what can i do did i make any mistake
correct me

C:\ELK\logstash-6.5.3\bin>logstash -e 'input { stdin {} } output { stdout {} }'
ERROR: Unknown command '{'

See: 'bin/logstash --help'
[ERROR] 2019-01-08 10:18:42.313 [main] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

Tayyab · January 8, 2019, 6:03am

I am facing the same issue.

balumurari1 · January 8, 2019, 9:59am

Hello @tayyab, @Dv_Thiyanesh,

try this,

logstash -e 'input{stdin{}}output{stdout{}}'

It will work fine.

Dv_Thiyanesh · January 9, 2019, 11:07am

yaa it works thank you!

balumurari1 · January 9, 2019, 11:13am

cheers..!! mark it as solution, so that it helps others

Dv_Thiyanesh · January 9, 2019, 11:20am

Done...And i am new to elastic so i need some good tutorials for filebeat to elasticsearch in windows
can you Have send Me
can you give some instructions
where to learn

balumurari1 · January 9, 2019, 11:26am

ok, in which scenarios you were using elasticsearch, so that i can help you to share knowledge.

Dv_Thiyanesh · January 9, 2019, 11:36am

I want to take logs from windows using winlogbeat and send that shipped logs to logstash using grok filter i need to take needed fields and send that that to elastic search

i have done it's working with this config file(I cannot understand what the filter is doing)
how i can change filter to select specific fields,can u help me out?

input {
beats {
port => 5044
}
}

filter {
if [system][process] {
if [system][process][cmdline] {
grok {
match => {
"[system][process][cmdline]" => "^%{PATH:[system][process][cmdline_path]}"
}
remove_field => "[system][process][cmdline]"
}
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Dv_Thiyanesh · January 10, 2019, 7:40am

Today when i running this it's shows error

C:\ELK\logstash-6.5.3\bin>logstash -e 'input{stdin{}}output{stdout{}}'
Sending Logstash logs to C:/ELK/logstash-6.5.3/logs which is now configured via log4j2.properties
[2019-01-10T13:09:08,506][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-01-10T13:09:08,545][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.3"}
[2019-01-10T13:09:10,088][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 1, column 1 (byte 1) after ", :backtrace=>["C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/pipeline_action/create.rb:42:in block in execute'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:92:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:148:in synchronize'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:92:inexclusive'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/pipeline_action/create.rb:38:in execute'", "C:/ELK/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:317:inblock in converge_state'"]}
[2019-01-10T13:09:10,691][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

JKCode · February 5, 2019, 4:51am

Hi All

I am facing the same issue while trying to start LS 6.5.0 on Windows 10 after a considerably long break in usage.
I have checked /pipeline_action/create.rb file to see if I could locate the missing #, but things seem fine.
Logstash logs sincedb file also deleted, but error persists.
Any help is much appreciated.

Edit:
Attempted again, this time created a basic conf file as below:

input{
stdin{}
}
output{
stdout{}
}

.. and it works!

Would still like some help to identify what's causing the error with the command line -e flag for better understanding!

Thanks!

Dv_Thiyanesh · February 6, 2019, 5:12am

i can't get you, could you can explain once again?

Dv_Thiyanesh · February 6, 2019, 6:00am

After doing this i have restarted logstash:

'''C:\ELK\logstash-6.5.3\bin>logstash -f demo-winlog-pipeline.conf
Sending Logstash logs to C:/ELK/logstash-6.5.3/logs which is now configured via log4j2.properties
[2019-02-06T11:11:27,417][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-06T11:11:27,652][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.3"}
[2019-02-06T11:11:37,022][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-02-06T11:11:39,096][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://localhost:9200/]}}
[2019-02-06T11:11:41,744][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2019-02-06T11:11:41,926][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-02-06T11:11:41,934][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2019-02-06T11:11:42,004][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2019-02-06T11:11:49,785][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2019-02-06T11:11:49,819][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x39a1e568 run>"}
[2019-02-06T11:11:50,566][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2019-02-06T11:11:54,077][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2019-02-06T11:11:55,387][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}'''

And the Result will be same not dropping events:
Screenshot_2019-02-06%20Discover%20-%20Kibana

system · March 6, 2019, 6:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.