File_completed_action not deleting files

Elastic Stack Logstash
1

I enabled file_completed_action to delete, however the files still exist & are not logged after parsing. I've tried enabling permissions for these files as well to allow write. Here's a view of my config + permissions.

input {

 file {
    path => "/home/vagrant/Downloads/*/package_0000000000_20200514T171015Z/logcat/0_logcat.txt"
    start_position => "beginning"
    #sincedb_path => "/devspace/test/logcatdb.txt"
    #sincedb_path => "/devspace/work/test2.txt"
    sincedb_path => "/dev/null"
    file_completed_action => "delete"
    file_completed_log_path => "/devspace/work/testacomplete"
    
  }


}

filter {

  grok {
    
    match => [ "message", "%{LOGCAT_TIMESTAMP:log_time}.*?%{LOGCAT_TAG_LETTER:tag_letter}.*?%{LOGCAT_TAG:tag}.*?%{NUMBER:process_number}([\)]): .*?%{LOGCAT_MSG:log}" ]
    # match => ["path", "/devspace/test/logsdecryp/%{USERNAME:pwrcycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" ]
    # match => ["pkg_name", "([a-z]*)_%{NUMBER:serial_number}_%{USERNAME:folder_date}T%{USERNAME:folder_time}Z" ]
    } 

  grok {

    #match => {"path" => "/devspace/test/logsdecryp/%{USERNAME:power_cycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" }
    match => {"path" => "/devspace/work/%{USERNAME:power_cycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" }

    }

  grok {

    match => {"pkg_name" => "([a-z]*)_%{USERNAME:serial_number}_%{USERNAME:folder_date}"}
    #T%{USERNAME:folder_time}Z" }

  }
#   mutate {
#       convert =>{
#           "process_number" => "integer" 
#       }
#   }
  

# #   date {

# #     match => [ "folder_date" , "yyyyMMdd" ],
    
# #    }

   date {
       match => [ "folder_date" , "yyyyMMdd'T'HHmmss'Z'" ]
       target => "file_timestamp"
    #    target => "logstamp"
   }
   date {
       match => ["log_time", "MM-dd HH:mm:ss.SSS"]
       target => "log_timestamp"
   }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  
  #stdout { codec => rubydebug }

}

Here's the permissions

-rw-rw-rw- 1   2300147 May 14 13:10 0_logcat.txt
-rw-rw-rw- 1   2181945 May 12 18:13 1_logcat.txt
-rw-rw-rw- 1   2660975 May 12 18:13 2_logcat.txt
-rw-rw-rw- 1   2807346 May 14 12:47 3_logcat.txt
-rw-rw-rw- 1   8880157 May 14 12:14 4_logcat.txt
-rw-rw-rw- 1   11595811 May 14 11:24 5_logcat.txt

Thanks!

I figured it out, need to add "mode => read" to config.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.