Journalctl logstash has issue "logstash.service: main process exited, code=exited, status=1/FAILURE"

gilang_bilbisri · March 10, 2020, 9:11am

Halo

i want to ask something about my logstash configuration.
i've already installed logstash and giving some configure in

/etc/logstash/logstash-sample.conf

and for the configuration is

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
ssl_key => "/etc/pki/tls/private/logstash.key"
}
}

filter {
if [type] == "syslog" {
    grok {
        match => {
            "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
        }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
        match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
}
}

output {
elasticsearch {
    hosts => "100.100.200.151:9200"
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

The logstash work fine. and status logstash is active (running)

but when i check my log in

journalctl --unit logstash

its showing some error. so this is the log

-- Logs begin at Tue 2020-03-10 13:38:25 WIB, end at Tue 2020-03-10 15:49:53 WIB. --
Mar 10 14:34:18 monitoring systemd[1]: Started logstash.
Mar 10 14:34:43 monitoring logstash[10866]: Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
Mar 10 14:34:44 monitoring logstash[10866]: [2020-03-10T14:34:44,271][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/va
Mar 10 14:34:44 monitoring logstash[10866]: [2020-03-10T14:34:44,466][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue",
Mar 10 14:34:45 monitoring logstash[10866]: [2020-03-10T14:34:45,092][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.6.1"}
Mar 10 14:34:45 monitoring logstash[10866]: [2020-03-10T14:34:45,143][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"296b
Mar 10 14:34:46 monitoring logstash[10866]: [2020-03-10T14:34:46,203][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/
Mar 10 14:34:46 monitoring logstash[10866]: [2020-03-10T14:34:46,230][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
Mar 10 14:34:46 monitoring logstash[10866]: [2020-03-10T14:34:46,646][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
Mar 10 14:34:51 monitoring logstash[10866]: [2020-03-10T14:34:51,545][INFO ][logstash.runner          ] Logstash shut down.
Mar 10 14:34:51 monitoring systemd[1]: logstash.service: main process exited, code=exited, status=1/FAILURE
Mar 10 14:34:51 monitoring systemd[1]: Unit logstash.service entered failed state.
Mar 10 14:34:51 monitoring systemd[1]: logstash.service failed.
Mar 10 14:34:52 monitoring systemd[1]: logstash.service holdoff time over, scheduling restart.
Mar 10 14:34:52 monitoring systemd[1]: Stopped logstash.
Mar 10 14:34:52 monitoring systemd[1]: Started logstash.

i took the configuration from youtube. and on the video the journalctl was work fines, no showing any errors. anyone knows what happend?

ITIC · March 10, 2020, 10:21am

Hi

The log you posted is truncated. Check the line where it says

No config files found in path {:path=>"/etc/

It seems logstash cannot find your .conf file.

In your otuput{} section, comment out the elasticsearch{} plugin and add a stdout{} line. Try again and see what you get.

Hope this helps.

gilang_bilbisri · March 10, 2020, 11:30am

HI jordi

Yes. it works thanks for the solution.

system · April 7, 2020, 11:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.