Logstash can not output to elasticsearch?


(Bejjm) #1

version : logstash 5.0.2 \elasticsearch 5.0.2
1.My configuration file in /etc/logstash/config.d/test.conf:
input {
file{
path => "/home/installer/test//logs/test_client.log"
}
}

filter {
grok {
match => {"message"=>"%{TIMESTAMP_ISO8601:timestamp} %{DATA:thread_name} %{LOGLEVEL:level} %{DATA:component} %{HOSTNAME:instance} %{JAVACLASS:logger_name} %{NOTSPACE:slm} %{GREEDYDATA:log_message}"}
}

json {
source => "slm"
target => "context"
remove_field => ["slm"]
}
}
output {
elasticsearch{
hosts=>["10.175.193.176:9200"]
index=>"lwm2m-server-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

2.And my test_client.log file had some log message.

I used command start logstash : sudo initctl start logstash ,and logstash is running.
But,elasticsearch no messages from 'logastsh' were received。

However,I used command to start logstash : ./bin/logstash -f test.conf
the elasticsearch can receive messages from 'logastsh'。

Why?
Does anybody know what's going on?


(Magnus Bäck) #2

Perhaps the user that runs Logstash as a daemon (typically "logstash") doesn't have read access to the file.


(Bejjm) #3

Thank you for your reply。
The logging directory ,/home/installer/test/logs/ was root:root , so I chown'd both to chown -R logstash:logstash .
But problems remain。


(Magnus Bäck) #4

And what are the permissions of /home, /home/installer, and /home/installer/test?


(Bejjm) #5

Thank you very much.I solved the problem by your method.
But I don't understand,I had set the file as all users can be read.
[installer@test test]
drwxr-xr-x. 8 installer installer 4096 Sep 19 21:53 logs

Why must 'chown -R logstash:logstash /home/test/' be executed before the file can be read?


(Magnus Bäck) #6

All directories leading up to a file must be executable to the user attempting to access the file.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.