Was running Logstash 1.5.0 on Debian 7 Wheezy.
It was running fine.
Upgraded to Debian 8 Jessie, and now it's running, but doesn't display data from the configured log files.
It looks like it's only reading authentication errors on the local system. A file I'd not even pointed it at.
I was seeing 2,000-3,000 logs per minute, now I'm not even getting 200-300/min.
I've tweaked and poked at the config, yet it still doesn't display anything from the assigned files.
It appears that lsof is saying the files are being read by Logstash.
init.d/logstash file does have the correct config directory and bin paths.
Logstash starts/stops/restarts correctly with no errors.
Any wisdom on where to start looking?
Input portion of the config (broken into three files: input, filter, output)
input {
# syslog
file {
path => "/var/log/syslog"
exclude => "/var/log/syslog.*"
type => "syslog"
}
# all log
file {
path => "/var/log/*.log"
exclude => "/var/log/*.gz"
type => "syslog"
tags => ["swuc","other"]
}
# Mail Logs
file {
path => "/var/log/mail.log"
path => "/var/log/mail.info"
type => "mail"
tags => [ "swuc","mail"]
}
# DMESG logs
file {
path => "/var/log/dmesg"
type => "dmesg"
tags => [ "swuc","dmesg"]
}
# ARLA Logs
file {
path => "/var/log/remote/arla.log"
type => "syslog"
tags => ["arla","syslog","remote"]
}
# OKLA Logs
file {
path => "/var/log/remote/okla.log"
type => "syslog"
tags => ["okla","syslog","remote"]
}
# SWUC Logs
file {
path => "/var/log/remote/swuc.log"
type => "swuc"
tags => ["swuc","syslog"]
}
# SWUC-PA200 Logs
file {
path => "/var/log/remote/swuc-pa200.log"
type => "paloalto"
tags => ["swuc","paloalto","firewall"]
}
# SWRG Logs
file {
path => "/var/log/remote/swrg.log"
type => "syslog"
tags => ["swrg","syslog","remote"]
}
# TXCO Logs
file {
path => "/var/log/remote/txco.log"
type => "syslog"
tags => ["txco","syslog","remote"]
}
# LSC Logs
lumberjack {
port => 5015
ssl_certificate => ["/etc/ssl/certs/logstash-forwarder.crt"]
ssl_key => ["/etc/ssl/private/logstash-forwarder.key"]
}
file {
path => "/var/log/remote/lsc.log"
type => "syslog"
tags => ["lsc","syslog","remote"]
}
# SWUC-Auditing Logs
file {
path => "/var/log/remote/swuc-audit.log"
type => "swuc-audit"
}
# SWUC-Wifi Logs
file {
path => "/var/log/remote/swuc-wifi.log"
type => "swuc-wifi"
}
# Apache Logs
file {
path => "/var/log/apache2/access.log"
path => "/var/log/apache2/error.log"
type => "Apache"
}
# Nginx Logs
file {
path => "/var/log/nginx/access.log"
path => "/var/log/nginx/error.log"
type => "Nginx"
}
# PaloAlto Logs (testing)
tcp {
port => "5000"
type => "paloalto"
}
# Windows Logs
tcp {
port => 33444
codec => json_lines
}
}