Logstash is not parsing simple-conf

w0lverine · November 8, 2016, 3:00am

Following the COMBINEDAPACHELOG example I am trying to get logstash output the apache log from a specific file location but logstash just runs and nothing is parsed.
Commands:

./logstash -f modbus.conf --config.test_and_exit
Output: ......OK

./logstash -f modbus.conf --config.reload.automatic
Sending Logstash logs to /home/w0lverine/logstash-5.0.0/logs which is now configured via log4j2.properties.
[2016-11-07T20:32:48,275][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>["http://192.168.2.171:9200"]}}
[2016-11-07T20:32:48,283][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2016-11-07T20:32:48,480][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2016-11-07T20:32:48,489][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::Elasticsearch", :hosts=>["192.168.2.171:9200"]}
[2016-11-07T20:32:48,553][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>250}
[2016-11-07T20:32:48,564][INFO ][logstash.pipeline ] Pipeline main started
[2016-11-07T20:32:48,603][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

sample.config

apache file has:

83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"

I am not sure why logstash will not parse the apache file but I have a feeling its a small errror

magnusbaeck · November 8, 2016, 6:35am

This question gets asked here over and over again. Logstash is probably tailing your file. You may need to delete your sincedb file. You may need to adjust the file input's ignore_older option. Please read the file input documentation to understand how sincedb works.

system · December 6, 2016, 6:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.