Hi All, I know that there are several open discussions on the topic already but nothing in there helped me resolving my situation.
#1 I installed Logstash on Ubuntu 20.04 for testing purposes and enabling it to run with the system startup.
#2 Afterwards I created 3 different logstash.conf files with different configuration in /usr/share/logstash/bin.
Below I'll paste only one of it. Can paste the rest if it's going to help
#3 My Logstash config file (variant 2) looks like this
input {
# Accept input from the console.
stdin{}
}
filter {
# Add filter here. This sample has a blank filter.
if [message] =~ "Security" or [message] =~ "Info" {
grok { match => { "message" => "(?:Z|[+-]%{HOUR}(?::?%{MINUTE})) (?<log_level>\w+) (?<host>[a-zA-Z0-9]+) (?<action>\w+:) (?<type>\w+=\w+>
}
if "Warning" in [message] {
grok { match => { "message" => "(?:Z|[+-]%{HOUR}(?::?%{MINUTE})) (?<log_level>\w+) (?<host>[a-zA-Z0-9]+) (?<FW>\w+:) (?<req>\[\w+\]) (?<>
}
#prune { whitelist_names => ["^smac$"] }
#prune { blacklist_names => ["^smac$"] }
if [protocol] == "proto=TCP|" {
mutate { update => { "protocol" => "TCP" } }
}
}
output {
#elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
Basically I test this configuration with an entry from a FW as a stdin and display it on the same console. Since I have three diffrent FW log levels Securiry, info and Warning I have an if condition that will apply one of two grok filters, there's plenty of room for improvement I know, i didnt use grok patterns (only a few in the beggining) since using using these patterns with the online grok debugger didn't match anything after the timestamp. My config works as a charm.
However, the CPU usage comes up to 300% even when I haven't started Logstash. Just the service is active.
I run logstash in its /bin directory with this command
./sudo logstash -f logstash2.conf
It runs successfully but with a couple of warns and errors
I read in the other threads that it's normal for Logstash the eat up CPU resources if it's not running a pipeline but even after I start it with the above command the CPU usage stays the same
Other thing that I noticed is that the PID of the Logstash frequently changes (every 5-6 seconds).
I checked /var/log/logstas/logstash-plain.log for errors and its full of two different
I also installed jmap as I read that high CPU usage might be due to heap overflows or something but this is far beyond my knowledge at this moment.
Dos anybody have a clue what I'm missing. I guess that I didn't express myself quite eloquently so if you need additional information please let me know.
Thank you in advance.