Hi,I recentely started working with the ELK stack but I have a problem for
my syslog logstash configuration. Can you give me hand pleaase ? I don't know what's the problem I'm having in my config file, but when i do the /bin/logstash -f it gives me this :
Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
Hi,
could you please post your config ?
What u post here
Attempting to install template
{:manage_template=>
{"template"=>"logstash-",
"version"=>50001,
"settings"=>
{"index.refresh_interval"=>"5s"},
"mappings"=>
{"default"=>
{"all"=>
{"enabled"=>true,
"norms"=>false},
"dynamictemplates"=>
[{"message_field"=>
....
Is just an info message that tell you the default template is installed. I don't this is something wrong with that.
Did you get any document into the elasticsearch node ?
cheers
pts0
Hi Kim,
this is my config :
input {
file {
path => "/data/log/testlogstash/messages"
type => "syslog"
start_position => "beginning"
}
}
filter {
if [type] == "syslog" {
grok {
patterns_dir => "/etc/logstash/conf.d/patterns/"
match => ["message", "(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_process}\[%{NUMBER:syslog_uid}\]:(?=%{GREEDYDATA:syslog_message})|(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} \|%{NUMBER:syslog_epoch:int}\|%{IP:syslog_ip}\|%{GREEDYDATA:syslog_path}\|%{GREEDYDATA:syslog_title}\|%{GREEDYDATA:syslog_referrer}\|%{NUMBER:syslog_uid}\|%{GREEDYDATA:syslog_sid}\|%{NUMBER:syslog_timer:int}\|%{GREEDYDATA:syslog_cache}\|%{GREEDYDATA:syslog_user_agent}\|%{NUMBER:syslog_peak_memory:int}))"]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"]
index => "syslogindex-%{+YYYY.MM.dd}"
sniffing => false
manage_template => false
}
stdout { codec => rubydebug }
}There is nothing wrong with your configuration. The message is an informational message that you'll get every time Logstash starts up if you have an elasticsearch output. Move on.