Logstash: ^CSIGINT received. Shutting down the pipeline. {:level=>:warn}

Shobhlika · March 4, 2016, 10:10am

./logstash -f weblogic-config
You are using a deprecated config setting "pattern" set in grok. Deprecated sett ings will continue to work, but are scheduled for removal from logstash in the f uture. You should use this instead: match => { "message" => "your pattern here" } If you have any questions about this, please visit the #logstash channel on fr eenode irc. {:name=>"pattern", :plugin=><LogStash::Filters::Grok --->, :level=>: warn}
Logstash startup completed
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}
Killed

ELK was working fine until now, but from last some days, it giving a lot of trouble.
There is nothing that gets shown in Kibana.

Any suggestions to troubleshoot or resolve this.
logstash-1.5.0
kibana-4.0.2
elasticsearch-1.5.1

Regards,
Shobhlika

magnusbaeck · March 4, 2016, 10:35am

Showing your configuration would be a good start.

Shobhlika · March 4, 2016, 11:33am

Hello Magnus,

Thank you for replying.

This is the config file.

input
{
file
{
type => "PRD-SOA01-OutFile"
add_field => { server => "PRD-SOA01" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD01/server_soa_PRD01.out"
# codec => plain { charset => "ISO-8859-1" }
}
file
{
type => "PRD-SOA02-OutFile"
add_field => { server => "PRD-SOA02" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD02/server_soa_PRD02.out"
# codec => plain { charset => "ISO-8859-1" }
}
file
{
type => "PRD-SOA03-OutFile"
add_field => { server => "PRD-SOA03" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD03/server_soa_PRD03.out"
# codec => plain { charset => "ISO-8859-1" }
}
file
{
type => "PRD-SOA04-OutFile"
add_field => { server => "PRD-SOA04" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD04/server_soa_PRD04.out"
# codec => plain { charset => "ISO-8859-1" }
}
file
{
type => "PRD-SOA05-OutFile"
add_field => { server => "PRD-SOA05" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD05/server_soa_PRD05.out"
# codec => plain { charset => "ISO-8859-1" }
}
file
{
type => "PRD-SOA06-OutFile"
add_field => { server => "PRD-SOA06" }
path=> "/u01/SOA_PRD/logs/domain_SOA_PRD01/server_soa_PRD06/server_soa_PRD06.out"
# codec => plain { charset => "ISO-8859-1" }
}
}

filter
{
multiline
{
pattern => "^<%{MONTH} %{MONTHDAY}, %{YEAR} %{TIME} (?:AM|PM) (CEST)>"
what => "previous"
negate =>"true"
}
grok
{
pattern => "(?m)<%{DATA:wls_timestamp}> <%{DATA:severity}> <%{DATA:wls_engine}> <%{DATA:wls_errorcode}> <%{GREEDYDATA:wls_logmessage}>"
}
mutate
{
remove_tag => ["multiline"]
}
if "Error" in [severity]
{
if "oracle.soa.b2b.transport" in [wls_engine]
{
if "zero byte" in [wls_logmessage]
{
mutate
{
add_tag => ["Technical Error" , "0 KB File"]
}
}
}
}
if "Error" in [severity]
{
if "oracle.soa.adapter" in [wls_engine]
{
if "JCA-11438" in [wls_logmessage]
{
mutate
{
add_tag => ["Technical Error" , "FTP Error"]
add_field => {NOTE => "Error in establishing connection to FTP server"}
}
}
}
}
if "Error" in [severity]
{
if "oracle.webservice.service" in [wls_engine]
{
if "OWS" in [wls_errorcode]
{
if "Transaction Rolledback" in [wls_logmessage]
{
mutate
{
add_tag => ["Technical Error" , "TimeOutException"]
add_field => { NOTE => "Transaction timed out after 590 seconds"}
}
}
}
}
}
}

output
{
elasticsearch
{
host => "xx.xx.xxx.xx"
index => "soaprd-%{+YYYY.MM.dd}"
protocol=>"http"
port => "9200"
}
}

magnusbaeck · March 4, 2016, 12:06pm

Oh, that's a lot. It's impossible to make a specific guess at what's wrong. I'd try starting Logstash with --verbose and looking in the logs for clues. For example, maybe the Logstash user no longer has access to the log files. I assume the log files are at least changing and getting more data appended to them?