Logstash error read

i'm trying read log of apache_Access and apache_error, those are remote log, when i insert, logstash read again the file and insert agin the entries.
My configuracion file of logstash:
input {
file{
path => "/home/clusterelastic/cluster/nodo1/logstash-5.5.2/logsaleer/log_aceso/accesso"
type => "apache_access"
}
file{
path => "/home/clusterelastic/cluster/nodo1/logstash-5.5.2/logsaleer/log_error/error"
type => "apache_error"
}
filter {

if [type] in [ "apache" , "apache_access" , "apache-access" ,"access"] {
grok {
match => ["message"," %{IP:clientip} - - [%{NOTSPACE:date} -%{INT}] "%{WORD:action} /%{WORD}/%{WORD}/%{NOTSPACE:login} %{WORD:protocol}/%{NUMBER:protocolNum}" %{NUMBER:status} %{NUMBER} "%{NOTSPACE}" "%{NOTSPACE:client} (%{WORD}; %{WORD:clientOs}%{GREEDYDATA}"]
}
}
if [type] in ["apache_error","apache-error","error_log"] {
grok {
match => ["message", "[%{DATA:DAY} %{DATA:MONTH} %{DATA:year} : %{DATA:HOUR}] [\php5:%{LOGLEVEL:loglevel}] [pid %{POSINT:pid}]( [client %{IP:client}:%{POSINT:clientport}]) %{GREEDYDATA:message}"]

  }
}

}
output {
elasticsearch {
hosts => ["localhost:9200"]
stdout { codec => rubydebug }
}

Logstash isn't really designed to read remote mount files like that. Can you install filebeat on the remote host to ship them?

Hi, i dont install filebeat, only read a log remote with rsync in opensuse

Unless rsync appends new data to the end of the existing files (emulating what a normal log writer would do) you won't be able to use rsync for this purpose.

Ho can i read a remote log?
The logs are in the server, the server should read the log that is in another machine.
I trying read de remote log via rsync

The best option is to run Filebeat or Logstash on machines where you want to collect logs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.