Logstash conf not loading new version

Elastic Stack Logstash
1

Hello,

I have this issue with a conf file. I create the file and start laying out a filter. I then save and test it, everything is going well. Then ill add something like another grok filter, add a tag, or overwrite a field. Ill restart the service and the new additions will not work. Ill walk away for a few hours and come back and it starts working. This doesn't happen on all my conf files just a few. This one and another i was working on a few weeks ago. It seems like logstash is using a cached version of the config. I know this because ill deliberately put a typo in the new section of the file and it will still load without error.

Is there some type of .conf file cache setting that will hold on to an old version of the config?

Thanks for the help in advance. This one is really driving me crazy

Single Node
Elk Stack 6.3.2

2

How are you running logstash, i.e. daemon on Centos for example?
Can you post the contents of /etc/logstash/conf.d or your path you use for config?

Can you explain this: "I know this because ill deliberately put a typo in the new section of the file and it will still load without error." - this is weird. If the config is syntax(ly?) correct then the server will not start it...

3

Its a service on ubuntu 16.04.5.
Below is a config i am working on. The path is /etc/logstash/conf.d/

Remember that this doesn't do this to all my configs. Just a select few like the one below. I have config reload interval set to 5s and ive noticed when i change this file, logstash doesn't reload. I have to restart the service, leave it be for a few hours and then it starts working. I have tried deleting the file and starting over but same result.

Directory

./
.git/
patterns/
templates/
02-beats-input.conf
03-syslog-input.conf
11-cisco-syslog-filter.conf
12-apache-filter.conf
13-mysql-filter.conf
14-nginx-filter.conf
15-system-filter.conf
16-firewall-filter.conf
17-xirrus-filter.conf
18-igt-filter.conf
19-infogenesis-filter.conf
20-windows-security-filter.conf
21-windows-system-filter.conf
22-tacacs-filter.conf
23-snoopy-filter.conf
24-ruckus-filter.conf
25-cucm-filter.conf
26-airwatch-filter.conf
27-dhcp-filter.conf
28-rguestpay-filter.conf
29-cradlepoint-filter.conf
30-securelink-filter.conf
60-elasticsearch-output.conf

30-securelink-filter.conf

filter {
  if [type] == 'syslog' and 'pre-processed' not in [tags] {
    grok {
      id => "securelinkGrokMessage"
      patterns_dir => [ "/etc/logstash/conf.d/patterns" ]
      match => [
              "message", "<%{POSINT:syslog_pri}>SecureLink:\s\s%{WORD:securelink.facility}:\s\s%{GREEDYDATA:message}"
        ]
      overwrite => [ "message" ]
      add_tag => [ "pre-processed", "Securelink" ]
      remove_field => [ "@version" ]
    }

    if 'Securelink' in [tags] {
        #new addition
        grok {
            id => "securelinkGrokMessageDetail"
            patterns_dir => [ "/etc/logstash/conf.d/patterns" ]
            match => [
                "message", "%{SECURELINKUSER}",
                "message", "%{SECURELINKUSERADMIN}",
                "message", "%{SECURELINKUSERSERVICE}",
                "message", "%{SECURELINKVENDORREP}"
            ]
            overwrite => [ "message" ]
        }
        #end addition

        syslog_pri {
            id => "securelinkPRI"
            remove_field => [
                "syslog_severity",
                "syslog_facility",
                "syslog_facility_code"
            ]
            add_field => { "severity" => "%{syslog_severity_code}"}
        }
4

Well thanks for taking a look. I have moved on and working on other things. I'm sure ill figure it out. Thanks for your time.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.