Hi,I recentely started working with the ELK stack but I have a problem for
my syslog logstash configuration. Can you give me hand pleaase ? I don't know what's the problem I'm having in my config file, but when i do the /bin/logstash -f it gives me this :
Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
Hi,
could you please post your config ?
What u post here
Attempting to install template
{:manage_template=>
{"template"=>"logstash-",
"version"=>50001,
"settings"=>
{"index.refresh_interval"=>"5s"},
"mappings"=>
{"default"=>
{"all"=>
{"enabled"=>true,
"norms"=>false},
"dynamictemplates"=>
[{"message_field"=>
....
Is just an info message that tell you the default template is installed. I don't this is something wrong with that.
Did you get any document into the elasticsearch node ?
cheers
pts0
Hi Kim,
this is my config :
input {
file {
path => "/data/log/testlogstash/messages"
type => "syslog"
start_position => "beginning"
}
}
filter {
if [type] == "syslog" {
grok {
patterns_dir => "/etc/logstash/conf.d/patterns/"
match => ["message", "(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_process}\[%{NUMBER:syslog_uid}\]:(?=%{GREEDYDATA:syslog_message})|(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} \|%{NUMBER:syslog_epoch:int}\|%{IP:syslog_ip}\|%{GREEDYDATA:syslog_path}\|%{GREEDYDATA:syslog_title}\|%{GREEDYDATA:syslog_referrer}\|%{NUMBER:syslog_uid}\|%{GREEDYDATA:syslog_sid}\|%{NUMBER:syslog_timer:int}\|%{GREEDYDATA:syslog_cache}\|%{GREEDYDATA:syslog_user_agent}\|%{NUMBER:syslog_peak_memory:int}))"]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"]
index => "syslogindex-%{+YYYY.MM.dd}"
sniffing => false
manage_template => false
}
stdout { codec => rubydebug }
}
1 Like
There is nothing wrong with your configuration. The message is an informational message that you'll get every time Logstash starts up if you have an elasticsearch output. Move on.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.