Logstash fails to fetch Configuration

Elastic Stack Logstash
1

My logstash isn't starting. When I check the logs, I see these:

Could not fetch all the sources {:exception=>Errno::EACCES, :message=>"Permission denied - /etc/logstash/conf.d/log.conf", :backtrace=>["org/jruby/RubyIO.java:1237:in `sysopen'", "org/jruby/RubyIO.java:3774:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:87:in `block in read'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:77:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:110:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:206:in `local_pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:44:in `block in pipeline_configs'", "org/jruby/RubyArray.java:2589:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:39:in `pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:76:in `block in fetch'", "org/jruby/RubyArray.java:2584:in `collect'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:75:in `fetch'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:185:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:123:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:417:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
[2022-10-05T18:37:09,241][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>RuntimeError, :message=>"Could not fetch the configuration, message: Permission denied - /etc/logstash/conf.d/log.conf"}
[2022-10-05T18:38:33,527][WARN ][logstash.runner          ] SIGTERM received. Shutting down.

This is my log.conf file:

input {
  beats {
    port => 5044
  }
}
filter{
  grok {
    match => { "message" => [ "\[%{TIMESTAMP_ISO8601:timestamp}\]%{DATA:class} %{SPACE}%{LOGLEVEL:level} -%{GREEDYDATA:message}", "%{GREEDYDATA:message}" ] }
    overwrite => [ "message" ]
  }
  if "ERROR" in [message] {
    mutate { add_tag => "error" }
  }
  date {
    match => [ "timestamp", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss", "ISO8601" ]
    target => "@timestamp"
    remove_field => ["timestamp"]
  }
}
output {
  elasticsearch {
    hosts => ["${ELKIP}:9200"]
    index =>"log-%{+YYYY.MM.dd}"
  }
}

These are permissions:
``
drwxr-xr-x 2 root root conf.d
-rw-r--r-- 1 root root jvm.options
-rw-r--r-- 1 root root log4j2.properties
-rw-r--r-- 1 root root logstash-sample.conf
-rw-r--r-- 1 root root logstash.yml
-rw-r--r-- 1 root root pipelines.yml
-rw------- 1 root root startup.options
-rw------- 1 root root log.conf

I have added the line sudo` chown root:root logstash.yml,` to my script, but it doesn't change anything
2

What are the permissions on that file?

3

-rw------- 1 root root

4

OK, so that is only readable by root. If you are not running as root (and you definitely should not do so) then the error is expected. Try

chmod o+r log.conf
6

Best to ask a new question about that.

1 Like
7

Okay, thanks. Done that.

8

Well start with the basics, since it can't reach it. Do traceroute etc.

Your elasticsearch url is just "elasticsearch"? And it resolves without fqdn?

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.