Loading plugin inside Windows Server Docker container

Hello All,

I am having a few problems getting a logstash plugin loading correctly inside a Windows Server Docker container.

For a bit of background, I am running the elastic stack on a traditional virtual machine with Elasticsearch, Logstash and Kibana. I have some logs that I want to get from our cloud provider so I have decided to put a Logstash instance in our DMZ running as a Docker container on Windows Server 2016. I have managed to get this configuration working and logs are making it to Elasticsearch successfully.

The next step was to configure the zabbix output plugin to trigger alerts on certain criteria. This is where I am getting stuck.

I have built a new Docker image which installs the zabbix plugin, during building I can see that it installs successfully:

Step 9/10 : RUN c:\elastic.co\logstash\bin\logstash-plugin install logstash-output-zabbix
 ---> Running in 467244165fac
Validating logstash-output-zabbix
Installing logstash-output-zabbix
Installation successful

I then have a couple of conditional commands in my logstash config that will trigger the zabbix output, which look like this:

if ("parsed_catchall" in [tags]) {
			mutate {
				add_field => { "[@metadata][z_key]" => "WPError" }
				add_field => { "[@metadata][z_host]" => "%{[beat][hostname]}" }
				add_tag => [ "zabbix_sender" ]
			}
			
		}

//snipped//

output {
	if ("parsed_catchall" in [tags]) {
		zabbix {
			zabbix_host => "[@metadata][z_host]"
			zabbix_key => "[@metadata][z_key]"
			zabbix_server_host => "svr-mon-03"
		}
		
	}

I have tested this config file against my traditional, full blown, Logstash instance and I am getting the alert into Zabbix. However on my Docker instance when the conditional fires I am getting the following:

[2017-03-06T15:35:39,452][DEBUG][logstash.agent           ] Error in reactor loop escaped: Bad file descriptor - Bad file descriptor (Errno::EBADF)
[2017-03-06T15:35:39,453][DEBUG][logstash.agent           ] ["org/jruby/RubyIO.java:3118:in `read'", "c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/reactor.rb:45:in `run_internal'", "org/jruby/ext/thread/Mutex.java:149:in `synchronize'", "c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/reactor.rb:44:in `run_internal'", "org/jruby/RubyArray.java:1613:in `each'", "c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/reactor.rb:42:in `run_internal'", "c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/reactor.rb:138:in `run_in_thread'"]
[2017-03-06T15:35:39,481][DEBUG][logstash.agent           ] 2017-03-06 15:35:39 +1100: Listen loop error: #<Errno::EBADF: Bad file descriptor - Bad file descriptor>
[2017-03-06T15:35:39,482][DEBUG][logstash.agent           ] org/jruby/RubyIO.java:3705:in `select'
c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/server.rb:322:in `handle_servers'
c:/elastic.co/logstash/vendor/bundle/jruby/1.9/gems/puma-2.16.0-java/lib/puma/server.rb:296:in `run'

These entries are repeated many times until the logstash instance crashes and the container stops.

I have tried to check if the plugin is running and when I run bin\logstash-plugin list i get nothing returned at all. I know that this is not correct, because I can see in the logs that I am using a lot of plugins, for example logstash-filter-grok is working, along with many others.

Does anybody have any ideas on getting this plugin running?

If I can't get the zabbix plugin working in the container one option I am thinking of is, instead of using the zabbix output inside the conditional I will output to the traditional logstash instance on the elastic stack and then use that to output to zabbix. Are there any things that I need to be aware of using multiple logstash instances?

Cheers,

Tim

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.