Logstash Keeps Restarting

MultiplierMultiplier · December 11, 2017, 2:55pm

The only setting I have changed in the Logstash .yml is: log.level: debug.

Logstash keeps restarting and there is absolutely nothing in the log file (/var/log/logstash/logstash-plaing.log)

The only info I can find is in journalctl -u logstash.service. I see the following over and over again:

Started logstash.
Dec 11 14:10:59 SIEM-MLS-VM-elkt logstash[5464]: Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Dec 11 14:10:59 SIEM-MLS-VM-elkt logstash[5464]: [ERROR] 2017-12-11 14:10:59.683 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud-0.0.23/lib/stud/task.rb:22] sourceloader - No configuration found in the configured sources.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Unit entered failed state.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Failed with result 'exit-code'.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Service hold-off time over, scheduling restart.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: Stopped logstash.

Any ideas guys?

Cheers,

George

magnusbaeck · December 11, 2017, 3:09pm

Do you have any configuration files in /etc/logstash/conf.d or wherever logstash.yml points to?

MultiplierMultiplier · December 11, 2017, 3:12pm

So I tried at first with no config in the /etc/logstash/conf.d folder. Then I added the file 02-NASA-IIS.conf with the following contents:

input {
  beats {
    port => 5044
  }
}

filter {
                grok {
                        match => { "message" => "^%{DATA:Host}\s%{DATA:FIELD1}\s%{DATA:FIELD2}\s\[%{DATA:OrigTime}\s%{DATA:TimeOffSet}]\s\"%{WORD:Method}\s%{DATA:Query}(\s%{DATA:HTTPVersion})?\"\s%{BASE10NUM:HTTPReply}\s%{NUMBER:Bytes:int}?"                       }
                }
                date {
                        match => [ "OrigTime", "dd/MMM/yyyy:HH:mm:ss" ]
                        target => "@timestamp"
                }
}



output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "filebeat-%{+YYYY.MM.dd}"
  }
}

Cheers,

G

magnusbaeck · December 11, 2017, 3:27pm

And that helped?

MultiplierMultiplier · December 11, 2017, 3:28pm

Sorry, it had no affect, still getting constant restarts.

G

magnusbaeck · December 11, 2017, 4:08pm

With the same error message? Please show the non-comment lines in logstash.yml.

MultiplierMultiplier · December 11, 2017, 4:11pm

These are the only lines that are not commented out. I had set the logging level to 'trace' I have now commented out that line as Logstash wasn't logging at all, it still doesn't seem to be.

path.config: /etc/logstash/conf.d/*.conf
path.data: /var/lib/logstash
path.logs: /var/log/logstash

G

MultiplierMultiplier · December 11, 2017, 4:18pm

Okay so the logging seems to be fixed since I commented out the logging level 'trace' (I have also tried 'debug' and that broke logging as well). So my logs keep showing me this over and over again:

[2017-12-11T16:11:45,288][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2017-12-11T16:11:45,307][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2017-12-11T16:11:46,728][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2017-12-11T16:11:48,541][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/logstash/conf.d/*.conf"}

MultiplierMultiplier · December 11, 2017, 4:30pm

Okay so I ran chmod 755 on the /etc/logstash/conf.d folder and logstash has now been up for over 7mins and seems to be fine. I then stopped Logstash and installed Xpack onto it, started Logstash again and what do you know, more restarting! So I stopped Logstash and removed Xpack and the restarting hasn't stopped.

G

MultiplierMultiplier · December 11, 2017, 5:07pm

Okay so I think I have found the actual issue here. I was using the wrong version of Java, I ran this command:

sudo apt-get install openjdk-8-jre

and now everything is working fine. I will report back if I face any issues.

EDIT: So upon installing XPack again I now face the issue of constant restarts.

system · January 8, 2018, 5:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash service restarts constantly and does send data to elasticsearch Logstash	3	1095	March 18, 2019
Consistent restarts of logstash with high CPU % recorded Logstash	3	1619	June 19, 2017
Logstash constantly restarting Logstash	3	4228	July 17, 2018
Logstash restsart and no error logs Elasticsearch	2	309	October 14, 2020
Logstash always restart Logstash	8	473	October 14, 2020

Logstash Keeps Restarting

Related topics