Logstash doesn't communicate with Elasticsearch

hzarrabi · February 5, 2018, 12:49pm

Hi,

"I'm novice in Elastic Stack !!! "

My Elasticsearch and Kibana on Linux Ubuntu working well. I receive log from beats but my logstash seems to do not communicate with elasticsearch.

Logstash on my server shoud read directly log files on server.

Could you please help me.

Regards

my conf in /etc/logstash/conf.d is :

input {
file {
path => ["/var/log/*"]
type => "syslog"
}
}

filter {
}

output {
elasticsearch {
hosts => ["localhost:9200"]
stdout { codec => rubydebug { metadata => true }
}

magnusbaeck · February 5, 2018, 1:47pm

Is Logstash reading any logs at all? Comment out your elasticsearch filter and use only your stdout output to find out. Have you looked in your Logstash log for clues about any ES connection problems?

hzarrabi · February 5, 2018, 2:29pm

Thank you for replying.

I changed my conf into :

input {
file {
path => ["/var/log/*"]
type => "syslog"
}
}

filter {
}

output {
stdout { }
}

but still noting happed.

in my log

/usr/share/logstash/logs/logstash-plain.log

I have repeatedly these two lines :

[2018-02-05T15:23:55,483][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}

[2018-02-05T15:23:55,489][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}

Regards

magnusbaeck · February 5, 2018, 2:50pm

Does the Logstash process have permissions to read the files in /var/log? Are those files changing at any point?

hzarrabi · February 6, 2018, 12:58pm

Hi Magnus,

yes, I has the permission to read the logs.
As the server is for Elastic Stack product validation, there is not lots of logs. But in any case, I should be able to see the old entries in Kibana.

could you please tell also me why I have repeaded logs in
/usr/share/logstash/logs/logstash-plain.log

as folow :

[2018-02-06T11:57:10,664][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2018-02-06T11:57:10,666][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}

Which communication protocol is used between logstash and lesaticsearch ?

Many thanks

magnusbaeck · February 6, 2018, 9:30pm

But in any case, I should be able to see the old entries in Kibana.

Not without start_position => "beginning" in the file input configuration.

Which communication protocol is used between logstash and lesaticsearch ?

HTTP.

system · March 6, 2018, 9:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.