Logstash 5.1 refuses to "boot up" (wrong configuration)


(Chris Pete) #1

Hello there!

I am currently using the latest Debian (Jessie) packages from Logstash 5.1 (in conjunction with ES 5.1 and Kibana 5.1), but Logstash is driving me nuts. (Logstash 2.x was working fine, even testing the configuration worked well, something I cannot say for 5.1), anyway. I am currently fighting with this configuration:

input {
  beats {
    port => 5044
  }
}

filter {
    mutate {
      strip => "message"
    }

    grok {
      patterns_dir => [ "/etc/logstash/patterns" ]
      tag_on_failure => [ ]
      break_on_match => true

      match => {
        "message" => [
          "%{TIMESTAMP_ISO8601:logdate}[\t ]{1,}%{LOGLEVEL:loglevel}[\t ]{1,}\[%{DATA:thread}\][\t ]{1,}%{DATA:class}\(%{DATA:source_filename}:%{NUMBER:source_linenumber}\):[\t ]{1,}%{GREEDYDATA:message}",
          "%{TIMESTAMP_GERMAN:logdate}[\t ]{1,}%{LOGLEVEL:loglevel}:[\t ]{1,}%{GREEDYDATA}:[\t ]{1,}%{GREEDYDATA:message}"
        ]
      }

      overwrite => [ "message" ]
    }

    if [source] =~ /.+/ {
      grok {
        break_on_match => false
        tag_on_failure => [ ]

        match => [ "source", "(?<tool_complete_name>([A-Z]{2,3}-\d{1,3}))" ]
        match => [ "tool_complete_name", "(?<tool_id>([A-Z]{2,3}))" ]
        match => [ "tool_complete_name", "(?<tool_instance>(\d{1,3}))" ]

        remove_field => [ "tool_complete_name" ]
      }
    }

    date {
      match => [ "logdate", "yyyy-MM-dd HH:mm:ss.SSS" ]

      target => "@timestamp"
      remove_field => [ "timestamp", "timestampMs", "logdate" ]
    }
}

output {
    elasticsearch {
      hosts => [ "localhost" ]
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
}

First off: the custom pattern "TIMESTAMP_GERMAN" was set in a text file like this:

TIMESTAMP_GERMAN %{MONTHDAY}.%{MONTHNUM}.%{YEAR}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})

And was tested with Grok Matcher for validity. Plus, the Logstash logs (if they're written at all under "/var/log/logstash/") tell me

Duplicate keys found in your configuration: At line: 70, column 16 (byte 1559)

There is not even a "line 70" (my config only has 58 lines), but anyway. I tried fiddling around with this:

grok {
  break_on_match => false
  tag_on_failure => [ ]
  match => [ "message", "%{TIMESTAMP_ISO8601:logdate}[\t ]{1,}%{LOGLEVEL:loglevel}[\t ]{1,}\[%{DATA:thread}\][\t ]{1,}%{DATA:class}\(%{DATA:source_filename}:%{NUMBER:source_linenumber}\):[\t ]{1,}%{GREEDYDATA:message}" ]
  match => [ "message", "%{TIMESTAMP_GERMAN:logdate}[\t ]{1,}%{LOGLEVEL:loglevel}:[\t ]{1,}%{GREEDYDATA}:[\t ]{1,}%{GREEDYDATA:message}" ]
}

But this doesn't work either. What's also very strange is that calling Logstash directly, via

/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/01-beats.conf

does nothing at all. All I see for minutes (I waited 15 minutes for some type of console feedback) is "nothing". Using the same call with Logstash 2.x gives me: "Configuration OK".

It's really troublesome for me right now. :frowning:
Thank you for your help!


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.