Logs not moved from Logstash to Elasticsearch

manojvenkat · November 2, 2016, 8:54am

Dear All,

I have installed ELK on single server. Now I am just trying to read a sample log file in my tmp folder andoutput it to elasticsearch and display in Kibana .

Below is my logstash configuration file:

input {
file {
path => "\tmp\Test.log"
start_position => "beginning"
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

But in Kibana I am not able to view the contents.

I checked Elasticsearch data directory :/var/lib/elasticsearch/elasticsearch/nodes and found 0 files in it. I understand logs not moved from logstash to elasticsearch. Please advice.

warkolm · November 2, 2016, 9:14am

Have a read of https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#_tracking_of_current_position_in_watched_files

manojvenkat · November 2, 2016, 9:35am

Mark Thanks for reply. I verified the link and did --configtest the configuration file and It seems to be OK.

[root@ip-10-32-71-115 bin]# ./logstash --configtest -f /etc/logstash/conf.d/syslog-elasticsearch.conf
Picked up _JAVA_OPTIONS: -Xmx2048m -Xms1024m
Configuration OK

Please suggest what else could be the other reasons.

warkolm · November 2, 2016, 9:36am

That is not what the link was about. Read about sincedb.

manojvenkat · November 2, 2016, 10:11am

I have updated config file with sincedb details. But still not seeing the logs moved to elasticsearch. Please advice.

input {
file {
path => "/tmp/Test.log"
type => "log"
start_position => "beginning"
sincedb_path => "/tmp/loc"
sincedb_write_interval => 10
}
}

guyboertje · November 2, 2016, 10:40am

@manojvenkat

What version of LS are you using?
Is the last modified date of the file /tmp/Test.log more than 24 hours ago? if yes then either touch it or set ignore_older to zero in the file config.

manojvenkat · November 2, 2016, 3:43pm

Hi Guyboertje, Thanks for reply.

Logstash Version is 2.4
2.I created Test.log file few hours back.