Logstash email alerts dynamically from multiple log files

abathula · July 7, 2015, 6:15am

I have the logstash config file in which i have written the mail alert for particular text present in the message then automatically send an email with the message. Please find the configuration file (logstash.conf).

input {
file {
path => [ "\IP Address\logs/LMS.log.*_bak" ]
start_position => "beginning"
}
}

output {
elasticsearch {
bind_host => "127.0.0.1"
port => "9200"
protocol => http
}
if "ERROR" in [message] {
email {
from => "logstash.alert@nowhere.com"
subject => "logstash alert"
to => "test.lms@gmail.com"
via => "smtp"
body => "Here is the event line that occured: %{message}"
}
}
}
Here i am not not getting any email from that configuration.So anyone please find that configuration give the solution for me thanks...

magnusbaeck · July 7, 2015, 6:52am

Is there anything interesting in the Logstash logs? What if you turn up the logging with --verbose or -debug? Are you getting data into Elasticsearch? Is new data being added to the log files?

Break down the problem and isolate the factors. What if you skip the conditional around the email output and the elasticsearch output and use a stdin input to feed messages one by one. Does it send any email messages then? If yes, reintroduce things until you get to a stage where it doesn't work again.

abathula · July 7, 2015, 6:59am

HI Magnusbaeck,

Thanks for replying me, am waiting from last 20 min for your valuable response.

Yes exactly i tried with --debug option, logs are loaded from logstash and for email giving this response.

But, am not getting any emails.

magnusbaeck · July 7, 2015, 7:33am

Is new data being added to the files you're monitoring? Logstash will only read old logfiles from the beginning under certain circumstances.

Next time, please copy/paste from logs. Don't use screenshots.

abathula · July 7, 2015, 8:32am

Actually i added some logs to the location of old logs present. Logstash automatically updated with the new logs but mails are not coming. Elastic search also automatically update the new logs into their storage.

magnusbaeck · July 7, 2015, 9:00am

Okay. Then proceed with isolating the issue as I described earlier.

magnusbaeck · July 7, 2015, 11:50am

Wait, have you verified that your SMTP server hasn't received the messages? The problem could just as well be that Gmail won't accept the messages. Your SMTP server's log will contain clues.

abathula · July 7, 2015, 1:20pm

Yes @magnusbaeck, I have the error like this. Sorry for uploading the image,but am unable to tell the problem with you...

magnusbaeck · July 7, 2015, 1:25pm

By default Logstash tries to send SMTP messages to localhost:25. It seems you don't have an SMTP server listening on that port. The smtp output documentation isn't too good (see bug #24) so see http://stackoverflow.com/questions/25481252/notifying-log-errors-via-email-using-logstash for a complete example. That said, I think you should set up an SMTP server on the Logstash machine to make sure thta Logstash can always load off messages. Otherwise an SMTP server outage would halt the Logstash pipeline.

abathula · July 7, 2015, 1:39pm

Thank you very much @magnusbaeck. You are so helpful to me. I seen from last 2 days about your posts and finally i got the solution with your help. Thank you man......