Logstash doesn't read an input file :/

abed85 · July 31, 2017, 6:50pm

Hello ,
I am trying to use Docker ELK stack to visualize the log of openvswitch.
My problem with logstash that it doesn't read the log file.
in the /logstash/pipeline/logstash.conf I added

input {
file {
    path => "/var/log/openvswitch/ovs-ctl.log"
    tags => "openvswitch"
    type => "openvswitch"
} 
}

when I am running the stack It doesn't read that file. I tried with another simple file in different location and also It doesn't read that file.
I have:

logstash_1       | Sending Logstash's logs to /usr/share/logstash/logs which is now configured via log4j2.properties
logstash_1       | [2017-07-31T18:07:52,990][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
logstash_1       | [2017-07-31T18:07:52,997][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
logstash_1       | [2017-07-31T18:07:53,187][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x505b9cd URL:http://elasticsearch:9200/>}
logstash_1       | [2017-07-31T18:07:53,190][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
logstash_1       | [2017-07-31T18:07:53,310][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
logstash_1       | [2017-07-31T18:07:53,324][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x33286cfc URL://elasticsearch:9200>]}
logstash_1       | [2017-07-31T18:07:53,334][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
logstash_1       | [2017-07-31T18:07:53,828][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"0.0.0.0:5000"}
logstash_1       | [2017-07-31T18:07:53,849][INFO ][logstash.pipeline        ] Pipeline main started
logstash_1       | [2017-07-31T18:07:54,041][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Thank you in advance,

CDR · August 2, 2017, 8:57pm

Can you attach your configuration file?

magnusbaeck · August 3, 2017, 8:10am

Does /var/log/openvswitch/ovs-ctl.log exist inside the Logstash Docker container?

abed85 · August 3, 2017, 4:16pm

input {
	tcp {
		port => 5000
	}

	 file {
 	    path => "/var/log/openvswitch/ovs-ctl.log"
	    tags => "openvswitch"
	    type => "openvswitch"
	}
 }     

 output {
	elasticsearch {
		hosts => "elasticsearch:9200"
	}
}

abed85 · August 3, 2017, 4:19pm

No... but It's on the same device. Why and how it should be in the Logstash Docker container?

CDR · August 3, 2017, 4:32pm

I had the same issue with running Logstash using Docker. The container's files are separate from the files on the device unless you mount a volume containing the files you wish to parse. Basically logstash is looking within the containers file system to find the file you are specifying. It cannot find that file because it does not exist within that container. Read more about how to create a container here.

abed85 · August 3, 2017, 6:30pm

Many Thanks @CDR !!! Problem solved

You are right... I mounted the file to a "mediator" volume in the container (I used /usr/share/logstash/docs) and I modified the path of the input file to the mediator path.

Cheers!

system · August 31, 2017, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash: File Input in Read Mode does not work - Docker image and Java Version Logstash docker	2	774	September 5, 2019
Input simple txt file Logstash	4	2840	November 6, 2019
Logstash File Input Plugin Read Mode Not Loading Data Logstash	4	3272	February 24, 2019
Sending JSON file to Elasticsearch via Logstash HTTP input plugin and Docker Logstash	5	17750	September 22, 2017
Logstash docker file input and file output Logstash	3	2534	August 23, 2017

Logstash doesn't read an input file :/

Related topics