Hello
I have a problem with logstash 6.2.4, when I run my logstash manually, elasticsearch if it shows me my full information, for example a full hour. But if I let it run on systemctl in this case I use centos, it only loads me 30 minutes.
I'm working with multiple pipelines. I do not know if that has something to do with it.
- pipeline.id: nginx
pipeline.workers: 2
path.config: "/etc/logstash/conf.d/logstash-nginx.conf"
queue.type: persisted
This is my config file
input {
file {
path => "/var/log/Nginx/syslogProxy"
start_position => "beginning"
stat_interval => 1
discover_interval => 15
sincedb_path => "/dev/null"
sincedb_write_interval => 15
}
}
filter {
grok {
patterns_dir => "/etc/logstash/patterns/"
match => { "message" => "%{FORTIDATE:logtimestamp}" }
}
date { match => [ "logtimestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] }
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{NGINX_ACCESS}" }
remove_tag => ["_grokparsefailure"]
add_tag => ["nginx_access"]
}
grok {
match => { "agent" => "[(]%{DATA:OS}; %{DATA:version}; %{DATA:device}[)]" }
match => { "agent" => "[(]%{DATA:OS}[)]" }
}
geoip {
source => "clientip"
}
mutate {
remove_field => [ "type", "path", "host"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-nginx"
}
}
-Jose