Logstash keep logging into default index

siasic · June 22, 2016, 9:58am

Hello,

I have got an issue with logstash when i want to output logs into elasticsearch.
In my configuration below i specify an index for my logs from filebeat, but it seems that they are finally store in that index AND in the default index configured in Kibana "logstash-XX-XX-XX".

input {
  beats {
    port => 5044
  }
}
filter{
  grok {
    match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} {1,2}%{JAVACLASS:class} %{GREEDYDATA:message}" ]
    overwrite => [ "message" ]
  }
  mutate {
    remove_field => [ "[beat]","input_type","offset" ]
  }

}

output {
  elasticsearch {
    hosts => "d1ccelk01"
    #manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

Anybody have an idea of the problem?

Thanks !

warkolm · June 22, 2016, 10:55pm

Is that your entire config or do you have more?

siasic · June 23, 2016, 6:49am

yes this is my entire logstash config.

Here is what i get :

siasic · July 4, 2016, 7:42am

Someone ? Any idea ?

magnusbaeck · July 4, 2016, 6:39pm

I'm pretty sure you have additional configuration files in /etc/logstash/conf.d that you've forgotten about.

siasic · July 5, 2016, 6:55am

You're absolutely right! !
I thought that renaming it in *.old make it unavailable for logstash.

Thanks a lot for your help.