Logstash Keeps Restarting

MultiplierMultiplier · December 11, 2017, 2:55pm

The only setting I have changed in the Logstash .yml is: log.level: debug.

Logstash keeps restarting and there is absolutely nothing in the log file (/var/log/logstash/logstash-plaing.log)

The only info I can find is in journalctl -u logstash.service. I see the following over and over again:

Started logstash.
Dec 11 14:10:59 SIEM-MLS-VM-elkt logstash[5464]: Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Dec 11 14:10:59 SIEM-MLS-VM-elkt logstash[5464]: [ERROR] 2017-12-11 14:10:59.683 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud-0.0.23/lib/stud/task.rb:22] sourceloader - No configuration found in the configured sources.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Unit entered failed state.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Failed with result 'exit-code'.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: logstash.service: Service hold-off time over, scheduling restart.
Dec 11 14:10:59 SIEM-MLS-VM-elkt systemd[1]: Stopped logstash.

Any ideas guys?

Cheers,

George

magnusbaeck · December 11, 2017, 3:09pm

Do you have any configuration files in /etc/logstash/conf.d or wherever logstash.yml points to?

MultiplierMultiplier · December 11, 2017, 3:12pm

So I tried at first with no config in the /etc/logstash/conf.d folder. Then I added the file 02-NASA-IIS.conf with the following contents:

input {
  beats {
    port => 5044
  }
}

filter {
                grok {
                        match => { "message" => "^%{DATA:Host}\s%{DATA:FIELD1}\s%{DATA:FIELD2}\s\[%{DATA:OrigTime}\s%{DATA:TimeOffSet}]\s\"%{WORD:Method}\s%{DATA:Query}(\s%{DATA:HTTPVersion})?\"\s%{BASE10NUM:HTTPReply}\s%{NUMBER:Bytes:int}?"                       }
                }
                date {
                        match => [ "OrigTime", "dd/MMM/yyyy:HH:mm:ss" ]
                        target => "@timestamp"
                }
}



output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "filebeat-%{+YYYY.MM.dd}"
  }
}

Cheers,

G

magnusbaeck · December 11, 2017, 3:27pm

And that helped?

MultiplierMultiplier · December 11, 2017, 3:28pm

Sorry, it had no affect, still getting constant restarts.

G

magnusbaeck · December 11, 2017, 4:08pm

With the same error message? Please show the non-comment lines in logstash.yml.

MultiplierMultiplier · December 11, 2017, 4:11pm

These are the only lines that are not commented out. I had set the logging level to 'trace' I have now commented out that line as Logstash wasn't logging at all, it still doesn't seem to be.

path.config: /etc/logstash/conf.d/*.conf
path.data: /var/lib/logstash
path.logs: /var/log/logstash

G

MultiplierMultiplier · December 11, 2017, 4:18pm

Okay so the logging seems to be fixed since I commented out the logging level 'trace' (I have also tried 'debug' and that broke logging as well). So my logs keep showing me this over and over again:

[2017-12-11T16:11:45,288][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2017-12-11T16:11:45,307][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2017-12-11T16:11:46,728][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2017-12-11T16:11:48,541][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/logstash/conf.d/*.conf"}

MultiplierMultiplier · December 11, 2017, 4:30pm

Okay so I ran chmod 755 on the /etc/logstash/conf.d folder and logstash has now been up for over 7mins and seems to be fine. I then stopped Logstash and installed Xpack onto it, started Logstash again and what do you know, more restarting! So I stopped Logstash and removed Xpack and the restarting hasn't stopped.

G

MultiplierMultiplier · December 11, 2017, 5:07pm

Okay so I think I have found the actual issue here. I was using the wrong version of Java, I ran this command:

sudo apt-get install openjdk-8-jre

and now everything is working fine. I will report back if I face any issues.

EDIT: So upon installing XPack again I now face the issue of constant restarts.

system · January 8, 2018, 5:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.