Logstash doesn't parse logs after upgrading from 1.5.x to 6.5.x

tbodhini · December 3, 2018, 8:27am

Hi all,

my problem is the following: After upgrading "some" major versions, my logstash config doesn't work as expected anymore. I configured on several different containers and it should process the logs like before. On some hosts it doesn't even process the logs, on others only from the first file input. Was there any change, which could have broken my config? Only thing I changed, was the json_lines delimiter syntax.
Graylog version didn't change and I did the upgrade, because I refactored my logconfig from longer time ago.
Didn't touch anything else than my own logstash-forward.conf, thought acout configuring pipelines.yml, because I have up to 4 different patterns of logs in my hosts.

input {
file {
path => "/opt/java-app/logs/catalina.out"
sincedb_path => "/opt/java-applogstash/sincedb/opt_java-app_logs_catalina.out"
tags => ['streams-java-apps','timeformat_java']
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => "true"
what => "previous"
max_lines => 50000
}
}
if "timeformat_java" in [tags] {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp}"
}
}
grok {
match => {
"message" => "%{LOGLEVEL:loglevel}"
}
}
grok {
match => {
"message" => "%{JAVAEX:exception}"
}
}
date {
# 2015-06-26 09:45:14,439
match => ["timestamp","ISO8601","YYYY-MM-dd HH:mm:ss,SSS","YYYY-MM-dd HH:mm:ss.SSS","YYYY-MM-dd HH:mm:ss"]
}
kv { prefix => "param" }
}
ruby {
code => "event.set('timestamp', '%10.3f' % event.get('@timestamp').to_f)"
}
mutate {
convert => {"timestamp" => "float"}
}
mutate {
remove_field => ["message","@timestamp","@version"]
}
}
output {
tcp {
host => "graylog-host"
port => "12201"
codec => json_lines {
delimiter => 0
}
}
}

tbodhini · December 3, 2018, 9:02am

Here are my logs ... this is the only message I'm seeing ...

[2018-11-29T11:20:36,459][WARN ][logstash.outputs.tcp ] tcp output exception {:host=>"1.2.3.4", :port=>12201, :exception=>#<EOFError: End of file reached>, :backtrace=>["org/jruby/RubyIO.java:2965:in sysread'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-tcp-5.0.3/lib/logstash/outputs/tcp.rb:156:inblock in register'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-codec-json_lines-3.0.6/lib/logstash/codecs/json_lines.rb:48:in encode'", "/opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-tcp-5.0.3/lib/logstash/outputs/tcp.rb:201:inreceive'", "/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in block in multi_receive'", "org/jruby/RubyArray.java:1734:ineach'", "/opt/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:114:inmulti_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:97:in multi_receive'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:373:inblock in output_batch'", "org/jruby/RubyHash.java:1343:in each'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:372:inoutput_batch'", "/optlogstash/logstash-core/lib/logstash/pipeline.rb:324:in worker_loop'", "/opt/logstash/logstash-core/lib/logstash/pipeline.rb:286:inblock in start_workers'"]}

Eniqmatic · December 3, 2018, 9:45am

Can you try the output port number not in quotes?

system · December 31, 2018, 9:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.