Logstash does not do anything with file input but starts successfully

Gegi_K · March 12, 2019, 9:26am

Hello All,

I have an issue where I cannot find what is goint on. I have a plain logstash config file:

input {
file {
path => [ "C:\Users\Administrator\Desktop\1.txt" ]
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
file {
path => "C:\Users\Administrator\Desktop\LogTest\test.log"
}
}

Here the contents of the 1.txt will not be read and put to elasticsearch nor into the file.
I have a FIrewall where it can stream logs to TCP/UDP and if I set the input to the appropriate port then I see the logs from the firewall in the test.log file and in Kibana.

Any help Appreciated.

All modules are on version 6.5.0

Thanks in advance!
Kind Regards,
Gergö

samyo · March 12, 2019, 9:31am

Of course it will not read your "1.txt" , cause in your Config file you do not have any filter , to match your "1.txt" log file.

Gegi_K · March 12, 2019, 9:34am

dear samyo,

thanks for the input, what confuses me is that this:

input {
tcp {
port => 5002
}
udp {
port => 5002
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
file {
path => "C:\Users\Administrator\Desktop\LogTest\test.log"
}
}

works and the data stream arriving on that port will be added to the test.log file without any filter. but I'll make one and test it.

Badger · March 12, 2019, 12:54pm

Use forward slash, not backslash, in filenames.

guyboertje · March 12, 2019, 12:56pm

If the file 1.txt exists when you start Logstash it will "tail" from the end (it assumes that the existing contents are old and of no interest). If you want the full file to be read and then tailed use start_position => "beginning" BUT if you want to simply read a "done" file then read up on read mode here, the setting and this setting also.

system · April 9, 2019, 12:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.