Logstash doesn't read config from /etc/logstash/conf.d/

sgm · September 9, 2016, 11:01am

Hello. Sorry for my english.

I installed logstash-2.4.0_all.deb on ubuntu server 16.04.1.
I wrote in /etc/logstash/conf.d/ex.conf:
input {
tcp {
type => "eventlog"
port => 3515
codec => json
}
} filter {
}

output {
elasticsearch {
cluster => "elasticsearch"
node_name => "Franz Kafka"
}
}

And I started logstash by the "sudo service logstash start".
By the "sudo service logstash status" I saw that logstash active.
But no file logstash.log in /var/log/logstash.
And no open tcp port 3515 by the "sudo netstat -lpn"

For test I deleted word "input" in /etc/logstash/conf.d/ex.conf and restart logstash.
No entryes about this event in /var/log/logstash/logstash.err and no file /var/log/logstash/logstash.log.

What's the reason of this trouble?????

Thank you.

theuntergeek · September 9, 2016, 3:21pm

Try running this command:

sudo /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ex.conf --verbose

Then you'll know what's going on if root is running Logstash. It's likely a permissions issue with the logstash user not being able to write a file (perhaps one of the log files).

sgm · September 11, 2016, 7:15pm

theuntergeek, thank yoy for your answer. I ran this command, but no any result - black screen.

theuntergeek · September 12, 2016, 11:47am

Please don't send configuration images. We can't select portions to paste back.

I do not know why you have commented out the cluster and node_name portions of the elasticsearch output, but that is not helpful for troubleshooting.

Perhaps you should replace the elasticsearch output temporarily with a stdout block:

output {
  stdout { codec => rubydebug }
}

Re-run the sudo command as before, and if you still don't see output at the command-line, it will be because of something else.