Logstash doesn't parse logs after upgrading from 1.5.x to 6.5.x

tbodhini · December 3, 2018, 8:27am

Hi all,

my problem is the following: After upgrading "some" major versions, my logstash config doesn't work as expected anymore. I configured on several different containers and it should process the logs like before. On some hosts it doesn't even process the logs, on others only from the first file input. Was there any change, which could have broken my config? Only thing I changed, was the json_lines delimiter syntax.
Graylog version didn't change and I did the upgrade, because I refactored my logconfig from longer time ago.
Didn't touch anything else than my own logstash-forward.conf, thought acout configuring pipelines.yml, because I have up to 4 different patterns of logs in my hosts.

input {
file {
path => "/opt/java-app/logs/catalina.out"
sincedb_path => "/opt/java-applogstash/sincedb/opt_java-app_logs_catalina.out"
tags => ['streams-java-apps','timeformat_java']
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => "true"
what => "previous"
max_lines => 50000
}
}
if "timeformat_java" in [tags] {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp}"
}
}
grok {
match => {
"message" => "%{LOGLEVEL:loglevel}"
}
}
grok {
match => {
"message" => "%{JAVAEX:exception}"
}
}
date {
# 2015-06-26 09:45:14,439
match => ["timestamp","ISO8601","YYYY-MM-dd HH:mm:ss,SSS","YYYY-MM-dd HH:mm:ss.SSS","YYYY-MM-dd HH:mm:ss"]
}
kv { prefix => "param" }
}
ruby {
code => "event.set('timestamp', '%10.3f' % event.get('@timestamp').to_f)"
}
mutate {
convert => {"timestamp" => "float"}
}
mutate {
remove_field => ["message","@timestamp","@version"]
}
}
output {
tcp {
host => "graylog-host"
port => "12201"
codec => json_lines {
delimiter => 0
}
}
}

tbodhini · December 3, 2018, 9:02am

Here are my logs ... this is the only message I'm seeing ...

[2018-11-29T11:20:36,459][WARN ][logstash.outputs.tcp ] tcp output exception {:host=>"1.2.3.4", :port=>12201, :exception=>#<EOFError: End of file reached>, :backtrace=>["org/jruby/RubyIO.java:2965:in sysread'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-tcp-5.0.3/lib/logstash/outputs/tcp.rb:156:inblock in register'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-codec-json_lines-3.0.6/lib/logstash/codecs/json_lines.rb:48:in encode'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-tcp-5.0.3/lib/logstash/outputs/tcp.rb:201:inreceive'", "/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in block in multi_receive'", "org/jruby/RubyArray.java:1734:ineach'", "/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:114:inmulti_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:97:in multi_receive'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:373:inblock in output_batch'", "org/jruby/RubyHash.java:1343:in each'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:372:inoutput_batch'", "/optlogstash/logstash-core/lib/logstash/pipeline.rb:324:in worker_loop'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:286:inblock in start_workers'"]}

Eniqmatic · December 3, 2018, 9:45am

Can you try the output port number not in quotes?

system · December 31, 2018, 9:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems with Logstash Parsing Logstash	2	275	December 31, 2018
Why newest versions of logstash are not processing any message Logstash	4	388	February 27, 2019
Logstash doesn't jump to the next line Logstash	1	468	November 7, 2019
Logstash won't start pipeline after moving to 7.6.13 from 6.5.x Logstash	3	340	March 24, 2022
Logstash stopped working after upgrade 6.2.4 --> 6.4.0 Logstash	16	1802	November 19, 2018

Logstash doesn't parse logs after upgrading from 1.5.x to 6.5.x

Related Topics