Logstash is logging a duplicate of all data being logged to /var/log/logstash/logstash-plain.log to /var/log/messages. It appears that many others have experienced the same issue, and that the culprit is often the following line in the output section of the *.conf file:
stdout { codec => rubydebug }
However, I do not have this line in my *.conf file.
logstash does not log to /var/log/message, it writes to stdout and it logs to /var/log/logstash. If you are running logstash as a service and you have your service manager configured to cc the stdout of a service to /var/log/messages than your service manager will write to /var/log/messages. The solution is to reconfigure the service manager.
While you are certainly correct, in practice amounts to the same thing. Additionally, reconfiguring the service manager was not an option, as other services on the host may rely on that functionality from the service manager to write their log entries to /var/log/messages.
Once I realized what was happening, I able to resolve the issue by commenting out the following lines in log4j2.properties and restarting logstash:
rootLogger.appenderRef.console.ref = ${sys:ls.log.format}_console
logger.slowlog.appenderRef.console_slowlog.ref = ${sys:ls.log.format}_console_slowlog
I located and commented out the corresponding lines for Elasticsearch, as well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.