Failed to start logstash - invalid dictionary format for translate plugin

thomas.dotreppe · May 3, 2016, 5:13pm

I'm using translate to convert protocols ID (and other stuff) to a name.

The configuration for this piece look like:

translate {
    field => "protoid"
    destination => "proto"
    fallback => "Unassigned"
    dictionary_path => "/etc/logstash/protocols"
    refresh_interval => 3600
}

However, when starting logstash (v2.3.2 from Elastic repos on Ubuntu 16.04 64 bit using Oracle JDK 8u91), it fails to start and I get the following error messages in the log file:

{:timestamp=>"2016-05-03T16:43:27.268000+0000", :message=>"translation missing: en.logstash.runner.configuration.file-not-found", :level=>:error}
{:timestamp=>"2016-05-03T16:56:26.415000+0000", :message=>"Pipeline aborted due to error", :exception=>#<RuntimeError: LogStash::Filters::Translate: LogStash::Filters::Translate: Dictionary /etc/logstash/protocols have a non valid format when loading dictionary file at /etc/logstash/protocols>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-translate-2.1.3/lib/logstash/filters/translate.rb:234:in `loading_exception'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-translate-2.1.3/lib/logstash/filters/translate.rb:196:in `load_dictionary'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-translate-2.1.3/lib/logstash/filters/translate.rb:127:in `register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:182:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:182:in `start_workers'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:136:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/agent.rb:465:in `start_pipeline'"], :level=>:error}
{:timestamp=>"2016-05-03T16:56:29.421000+0000", :message=>"stopping pipeline", :id=>"main"}

I looked in the file /etc/logstash/protocols (which has the owner and group set to logstash, is readable just fine and is in UNIX format) and I fail to see why it say it has invalid format (format can be found Logstash translate filter - Dictionary path - Format):

"0": HOPOPT
"1": ICMP
"2": IGMP
"3": GGP
"4": IPv4
"5": ST
"6": TCP
"7": CBT
"8": EGP
"9": IGP
"10": BBN-RCC-MON
"11": NVP-II
"12": PUP
"13": ARGUS
"14": EMCON
"15": XNET
"16": CHAOS
"17": UDP
"18": MUX
"19": DCN-MEAS
"20": HMP
"21": PRM
"22": XNS-IDP
"23": TRUNK-1
"24": TRUNK-2
"25": LEAF-1
"26": LEAF-2
"27": RDP
"28": IRTP
"29": ISO-TP4
"30": NETBLT
"31": MFE-NSP
"32": MERIT-INP
"33": DCCP
"34": 3PC
"35": IDPR
"36": XTP
"37": DDP
"38": IDPR-CMTP
"39": TP++
"40": IL
"41": IPv6
"42": SDRP
"43": IPv6-Route
"44": IPv6-Frag
"45": IDRP
"46": RSVP
"47": GRE
"48": DSR
"49": BNA
"50": ESP
"51": AH
"52": I-NLSP
"53": SWIPE (deprecated)
"54": NARP
"55": MOBILE
"56": TLSP
"57": SKIP
"58": IPv6-ICMP
"59": IPv6-NoNxt
"60": IPv6-Opts
"61": host internal protocol
"62": CFTP
"63": local network
"64": SAT-EXPAK
"65": KRYPTOLAN
"66": RVD
"67": IPPC
"68": distributed file system
"69": SAT-MON
"70": VISA
"71": IPCV
"72": CPNX
"73": CPHB
"74": WSN
"75": PVP
"76": BR-SAT-MON
"77": SUN-ND
"78": WB-MON
"79": WB-EXPAK
"80": ISO-IP
"81": VMTP
"82": SECURE-VMTP
"83": VINES
"84": TTP
"84": IPTM
"85": NSFNET-IGP
"86": DGP
"87": TCF
"88": EIGRP
"89": OSPFIGP
"90": Sprite-RPC
"91": LARP
"92": MTP
"93": AX.25
"94": IPIP
"95": MICP (deprecated)
"96": SCC-SP
"97": ETHERIP
"98": ENCAP
"99": private encryption scheme
"100": GMTP
"101": IFMP
"102": PNNI
"103": PIM
"104": ARIS
"105": SCPS
"106": QNX
"107": A/N
"108": IPComp
"109": SNP
"110": Compaq-Peer
"111": IPX-in-IP
"112": VRRP
"113": PGM
"114": 0-hop
"115": L2TP
"116": DDX
"117": IATP
"118": STP
"119": SRP
"120": UTI
"121": SMP
"122": SM
"123": PTP
"124": ISIS over IPv4
"125": FIRE
"126": CRTP
"127": CRUDP
"128": SSCOPMCE
"129": IPLT
"130": SPS
"131": PIPE
"132": SCTP
"133": FC
"134": RSVP-E2E-IGNORE
"135": Mobility Header
"136": UDPLite
"137": MPLS-in-IP
"138": manet
"139": HIP
"140": Shim6
"141": WESP
"142": ROHC
"253": Experiment
"254": Experiment
"255": Reserved

Can anybody tell me what is wrong in there?

magnusbaeck · May 3, 2016, 8:20pm

YAML files used here must have the file extension "yml" or "yaml".

github.com

logstash-plugins/logstash-filter-translate/blob/v2.1.3/lib/logstash/filters/translate.rb#L185-L197


def load_dictionary(raise_exception=false)
  if /.y[a]?ml$/.match(@dictionary_path)
    load_yaml(raise_exception)
  elsif @dictionary_path.end_with?(".json")
    load_json(raise_exception)
  elsif @dictionary_path.end_with?(".csv")
    load_csv(raise_exception)
  else
    raise "#{self.class.name}: Dictionary #{@dictionary_path} have a non valid format"
  end
rescue => e
  loading_exception(e, raise_exception)
end

thomas.dotreppe · May 5, 2016, 4:29pm

Should I open a bug for the documentation that needs updating? It doesn't say anywhere about the file extension.

magnusbaeck · May 9, 2016, 6:02am

The documentation in the source code actually includes a paragraph on this but it's omitted from the rendered HTML documentation so it's most likely a documentation generator bug. Feel free to file an issue at https://github.com/elastic/logstash/issues/new.

thomas.dotreppe · May 9, 2016, 3:32pm

Done: https://github.com/elastic/logstash/issues/5261