File input to grok filter to elasticsearch output

cm47 · October 24, 2017, 9:15pm

Hi, I am trying to configure logstash to read lines from a custom file.

Logstash configuration file:
input {
file {
path => "/home/centos/customlog/testfile.log"
codec => line
start_position => "beginning"
ignore_older => 0
}
}

filter {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{DATETIME_PATTERN:timestamp} %{LOGLEVEL:log-level} %{GREEDYDATA:message}" }
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "omitted"
index => "custom-log-test"
}
}

where DATETIME_PATTERN is a custom pattern declared like so:
DATETIME_PATTERN %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:%{MINUTE}:%{SECOND}

Here is part of the log trying to be read:
2017-10-05 13:10:00 INFO Running Check Time issue
2017-10-05 13:10:00 INFO No need to alert - there are no future times
2017-10-05 13:20:00 INFO Running Check Time issue
2017-10-05 13:20:00 ERROR Issue found - sending alert

Where am I going wrong here? For testing purposes, I have also tried with stdout output using rubydebug codec and still don't see anything happening in logstash logs when I write and quit the file (logstash logs are raised to debug level). I also tried without the line codec incase it was not correct however I do believe that is the right codec to use. I also tried with a trivial grok pattern like just the log level and greedy data afterward and creating a log to match that pattern with no success as well. Any direction would be greatly appreciated, thanks!

warkolm · October 25, 2017, 2:49am

It's probably a sincedb issue, so try setting that to /dev/null.

cm47 · October 25, 2017, 7:04pm

Thanks for your reply, Mark. Shouldn't setting start position to beginning negate that issue? Anyway, I tried setting the sincedb path to /dev/null and no change. Still not seeing anything in logstash logs when I write and quit the test log file.

The only thing remotely related to this whole process that I see in the logs is this single line:

[DEBUG][logstash.inputs.file ] _globbed_files: /home/centos/customlog/testfile.log: glob is: []

Does this indicate something is wrong? Sorry, fairly inexperienced with ELK and just trying to figure out why I can't get something that should be very basic to work.

cm47 · October 25, 2017, 7:18pm

I was able to resolve the issue. For whatever reason, logstash did not like the log file being in the centos user path that I had posted in my configuration. I changed it to /etc/logstash/customlog/testfile.log and I was able to see lines from the file printed to stdout.

system · November 22, 2017, 7:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use grok pattern file in logstash filter Logstash	4	332	July 12, 2018
File input processing question Logstash	3	1077	July 6, 2017
Logstash + historical import + oddball time stamps Logstash	3	616	October 12, 2017
Grok custom pattern is not working Logstash	2	2540	October 31, 2017
Get the correct timestamp from the log file Logstash	6	3070	July 6, 2017

File input to grok filter to elasticsearch output

Related Topics