Hello,
I'm having an issue with logstash running on aarch64. At this point, I don't believe it to be config based, as I ran config test on the various files in conf.d AND these files run on other hosts (that are x86_64). I only note the arch in the interest of full disclosure.
I've found that three specific input files, when placed in /etc/logstash/conf.d
result in stack traces in /var/log/logstash/logstash-plain.log
. The output looks something like:
[2018-05-23T09:40:11,866][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::File path=>["/var/log/logstash/logstash-plain.log"], type=>"logstashlogs", tags=>["systems"], codec=><LogStash::Codecs::Multiline auto_flush_interval=>1, pattern=>"^\\[%{TIMESTAMP_ISO8601}", negate=>true, what=>"previous", id=>"c86c336a-60a4-4185-aa9c-67e83a98dc13", enable_metric=>true, charset=>"UTF-8", multiline_tag=>"multiline", max_lines=>500, max_bytes=>10485760>, sincedb_path=>"/var/db/logstash-sincedb/logstashlogs", id=>"58cf273996c5add287b29935f91c4a1bc3ce9b19121eb55d54cf29bb75b4aaef", enable_metric=>true, stat_interval=>1, discover_interval=>15, sincedb_write_interval=>15, start_position=>"end", delimiter=>"\n", close_older=>3600>
Error: Operation not permitted - No message available
Exception: Errno::EPERM
Stack: org/jruby/RubyFile.java:639:in `chown'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/helper.rb:45:in `atomic_write'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/tail_base.rb:197:in `_sincedb_write'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/observing_tail.rb:103:in `observe_read_file'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/observing_tail.rb:43:in `block in subscribe'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:255:in `block in each'
org/jruby/RubyArray.java:1734:in `each'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:217:in `block in each'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:357:in `block in synchronized'
org/jruby/ext/thread/Mutex.java:148:in `synchronize'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:357:in `synchronized'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:118:in `each'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/watch.rb:280:in `subscribe'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/filewatch-0.9.0/lib/filewatch/observing_tail.rb:23:in `subscribe'
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-file-4.0.3/lib/logstash/inputs/file.rb:305:in `run'
/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:524:in `inputworker'
/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:517:in `block in start_input'
I've looked at permissions on the various logstash config files and they're good. I've also looked at the files that logstash appears to be monitoring and they're also OK. They're not FULLY owned by the logstash user, but they are owned by the logstash group and have the read bit set; so logstash shouldn't have any issues (to my knowledge) extracting information from them. The reason I'm talking about permissions is because of the following snippet in the above block:
Error: Operation not permitted - No message available
Exception: Errno::EPERM
Stack: org/jruby/RubyFile.java:639:in `chown'
I am not clear what is attempting to be done here. However, when these three files input files (or any one of them) are placed in conf.d we see continuous stack traces and logstash restarts itself.
Has anyone seen this before? I'm new to supporting logstash, so I apologize if I've left something out. Various search engine searches have led me nowhere thus far.
Thanks!