After added double quotes, i dont see the above error anymore.
However, i am facing new error:
[root@elk bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/logstash.yml
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2019-08-28T14:37:54,698][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-08-28T14:37:54,727][FATAL][logstash.runner ] Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the "path.data" setting.
[2019-08-28T14:37:54,743][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
It seem strange because i have only one instance of logstash kibana and elasticsearch, all deploy in single server
When I run ps -ef | grep logstash i got below result:
I have killed the logstash process successfully and i can see logstash service running as normal.
However, i am not able to see logstash indicies in Index Management.
Can you guy help to provide a way to test the output from logstash.
Below is my current configuration file:
input {
beats {
port => 5044
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["192.168.67.28:9200"]
user => "user"
password => "password"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Also, a little question: From all other topic i have searched from Elastic Discuss, i can see people dont have to put their username and password in configuration file. So how can i achive the same?
However, i am not able to see logstash indicies in Index Management.
Impossible to comment without seeing both Elasticsearch and Logstash log.
Also, a little question: From all other topic i have searched from Elastic Discuss, i can see people dont have to put their username and password in configuration file. So how can i achive the same?
You can use at least environment variables or keystore to store credentials. Read documentation for more information. But probably people don't use security at all if you don't see username or password parameters in configuration file
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.