Logstach can't read input file

AlexDM · October 6, 2016, 11:12am

I'm so sorry, still start to learn and install ELK.
input { stdin { } } is working and I can see resault in Kibana. When I try to use file in input path, logstach can't read log file.

Logstach 2.4.0

my simple conf from Logstach documentations:

input {
file {
path => "/var/log/http.log"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

Answer from Logstach:
-- [slog@smt06hpsa004 logstash-2.4.0]$ bin/logstash -f ./conf/example0.conf
-- Settings: Default pipeline workers: 4
-- Pipeline main started

...nothing more

The same conf with "input { stdin { } }" correctly work.

File and path:
[slog@smt06hpsa004 slog]$ cat /var/log/http.log
55.3.244.1 GET /index.html 15824 0.043 [slog@smt06hpsa004 slog]$
Priveleg:
-rwxrwxrwx. 1 root root 38 Oct 6 10:18 http.log

I tried to change conf without sincedb_path => "/dev/null" but the same result
Help me please.

magnusbaeck · October 6, 2016, 11:57am

Reset the permissions of the file to whatever it was. It shouldn't be world-writable or executable for anyone. Check the permissions of /var/log. It needs to be readable and executable for the logstash user.

If the logfile is older than 24 hours you also need to adjust the file input's ignore_older option.