Logstash / Elasticsearch Double Values

MaikLinnemann · December 12, 2017, 12:01pm

Dear all,

i have an issue with logstash that i try to solve since a while. My issue is that the values for the output of "PROBLEMSITE" is always double. Here is an JSON example:

  "_source": {
    "request": [
      "/",
      "/"
    ],
    "agent": [
      "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
      "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\""
    ],
    "auth": [
      "-",
      "-"
    ],
    "ident": [
      "-",
      "-"
    ],
    "verb": [
      "GET",
      "GET"
    ],

All other sites output works as expected!!! No issues, only for "PROBLEMSITE".....

I have a logstash config as follows:

input {
  file {
path => [ "/var/log/nginx/access.log" ]
#exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-default"
   }

file {
path => [ "/var/log/nginx/xxx-PROBLEMSITE.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-PROBLEMSITE"
    }
  
file {
path => [ "/var/log/nginx/webmail.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-webmail"
    }
    
file {
path => [ "/var/log/nginx/owncloud.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-owncloud"
    }    
  }
 	     

filter {

if [type] == "nginx-default" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
    match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }

    date {
          	 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +0100" ]
             target => "tempdate"
    }
    
    ruby {
         	 code => "
         	 t = event.get('tempdate').time
				 t.localtime('+01:00')
				 event.set('logdatetime', t.strftime('%Y-%m-%dT%H:%M:%S +0100'))
				 "	
         }    

  	geoip {
  	source => "clientip"
  	target => "geoip-src"
  	database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  	}

   } 
   
   else if [type] == "nginx-PROBLEMSITE" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }
  	geoip {
  	source => "clientip"
  	target => "geoip-src"
  	database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
   else if [type] == "nginx-webmail" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{ACTIVESYNC}" ]
    }

  geoip {
  source => "clientip"
  target => "geoip-src"
  database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
   else if [type] == "nginx-owncloud" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }

  geoip {
  source => "clientip"
  target => "geoip-src"
  database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
}

output {

  if [type] == "nginx-default" {
  elasticsearch {
  index => "nginx-webhoster-default-%{+YYYY-MM-dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.json"
  template_name => "nginx-webhoster-default"
      }
  }
  
  else if [type] == "nginx-PROBLEMSITE" {
  elasticsearch {
  index => "nginx-webhoster-PROBLEMSITE-%{+YYYY-MM-dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.PROBLEMSITE.json"
  template_name => "nginx-webhoster-PROBLEMSITE"
      }
  }
   
	  else if [type] == "nginx-webmail" {
  elasticsearch {
  index => "nginx-webhoster-webmail-%{+YYYY.MM.dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.webmail.json"
  template_name => "nginx-webhoster-webmail"
     }
  }
  
  else if [type] == "nginx-owncloud" {
  elasticsearch {
  index => "nginx-webhoster-owncloud-%{+YYYY.MM.dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.owncloud.json"
  template_name => "nginx-webhoster-owncloud"
     }
  }
}

Could anyone give a hint or shed some light please?

magnusbaeck · December 12, 2017, 1:16pm

Where are your config files? What files do you have in that directory?

MaikLinnemann · December 12, 2017, 1:24pm

Hi Magnus, the config above is logstash/conf.d/nginx.conf
Else i have Templates under logstash/templates

{
    "template" : "nginx-webhoster-PROBLEMSITE-*",
    "order" : 0,
    "settings" : {
        "number_of_shards" : 2,
        "index.refresh_interval" : "90s"
    },
    "mappings" : {
        "nginx-webhoster-PROBLEMSITE" : {
            "properties" : {
                "timestamp" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "httpversion" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "request" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "auth" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "agent" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "clientip" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "bytes" : { "index": "not_analyzed", "doc_values": true, "type" : "long" },
                "response" : { "index": "not_analyzed", "doc_values": true, "type" : "short" },
		"ident" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "rawrequest" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"verb" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"referrer" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"@timestamp" : { "format" : "dateOptionalTime", "type" : "date" } 
            }
        }
    }
}

The other Templates are all the same...

magnusbaeck · December 12, 2017, 2:29pm

What other files do you have in logstash/conf.d?

MaikLinnemann · December 12, 2017, 3:38pm

Thanks bobbing me to right direction, i had a backup file in the folder. seems logstash read that file. as i removed it, the problem seems solved for now. any clue why other IO was not affected?

system · January 9, 2018, 3:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.