Logstash fails to fetch Configuration

My logstash isn't starting. When I check the logs, I see these:

Could not fetch all the sources {:exception=>Errno::EACCES, :message=>"Permission denied - /etc/logstash/conf.d/log.conf", :backtrace=>["org/jruby/RubyIO.java:1237:in `sysopen'", "org/jruby/RubyIO.java:3774:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:87:in `block in read'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:77:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:110:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:206:in `local_pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:44:in `block in pipeline_configs'", "org/jruby/RubyArray.java:2589:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:39:in `pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:76:in `block in fetch'", "org/jruby/RubyArray.java:2584:in `collect'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:75:in `fetch'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:185:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:123:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:417:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
[2022-10-05T18:37:09,241][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>RuntimeError, :message=>"Could not fetch the configuration, message: Permission denied - /etc/logstash/conf.d/log.conf"}
[2022-10-05T18:38:33,527][WARN ][logstash.runner          ] SIGTERM received. Shutting down.

This is my log.conf file:

input {
  beats {
    port => 5044
  grok {
    match => { "message" => [ "\[%{TIMESTAMP_ISO8601:timestamp}\]%{DATA:class} %{SPACE}%{LOGLEVEL:level} -%{GREEDYDATA:message}", "%{GREEDYDATA:message}" ] }
    overwrite => [ "message" ]
  if "ERROR" in [message] {
    mutate { add_tag => "error" }
  date {
    match => [ "timestamp", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss", "ISO8601" ]
    target => "@timestamp"
    remove_field => ["timestamp"]
output {
  elasticsearch {
    hosts => ["${ELKIP}:9200"]
    index =>"log-%{+YYYY.MM.dd}"

These are permissions:
drwxr-xr-x 2 root root conf.d
-rw-r--r-- 1 root root jvm.options
-rw-r--r-- 1 root root log4j2.properties
-rw-r--r-- 1 root root logstash-sample.conf
-rw-r--r-- 1 root root logstash.yml
-rw-r--r-- 1 root root pipelines.yml
-rw------- 1 root root startup.options
-rw------- 1 root root log.conf

I have added the line sudo` chown root:root logstash.yml,` to my script, but it doesn't change anything

What are the permissions on that file?

-rw------- 1 root root

OK, so that is only readable by root. If you are not running as root (and you definitely should not do so) then the error is expected. Try

chmod o+r log.conf

Best to ask a new question about that.

1 Like

Okay, thanks. Done that.

Well start with the basics, since it can't reach it. Do traceroute etc.

Your elasticsearch url is just "elasticsearch"? And it resolves without fqdn?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.