I have using logstash 8.10.0 for windows and linux downloaded from elastic.co downloads.
I could hardly see 2 events ingested by logstash.
logstash-plain.log does not have any error after pipeline_running.
And how are you running logstash? Which user? Does the user have permissions on the folder path?
What do you have in Logstash logs?
I do not use windows, so I'm not sure which user logstash uses if you run it as a service, but if the paht is correct and the permissions are also correct, it should've read the files.
@leandrojmp thanks for looking into this one.
I would like to provide linux config details.
[root@hostname]# cat .sincedb_2801e934a5da4805e0d8082e0c062138
10783905 0 66305 14164630 1695906657.855361 /opt/tomcat.log
input {
file {
path => "/opt/tomcat/logs/cs.log"
type => "cs"
start_position => "beginning"
}
}
filter {
if [type] == "cs"{
grok {
match => {
"message" => [
"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}\[%{DATA:thread}\] %{SPACE}\[\] %{SPACE}\[%{URIPATH:uri_path}\]%{SPACE}\[\] %{GREEDYDATA:message}",
"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}\[%{DATA:thread}\] %{SPACE}\[\] %{SPACE}\[\]%{SPACE}\[\] %{SPACE}\[\]%{GREEDYDATA:message}",
"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}\[%{GREEDYDATA:thread}\] %{SPACE}\[\] %{SPACE}\[\]%{SPACE} \[\] %{SPACE}\[\]%{SPACE}%{DATA:logger}%{SPACE}\[\] - %{GREEDYDATA:message}",
"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{SPACE}\[%{DATA:thread}\]%{SPACE}\[%{DATA:tenant}\]%{SPACE}\[\]%{SPACE}\[%{DATA:class}\]%{SPACE}\[\] es.CSUtil%{SPACE}\[\]%{SPACE}- This condition should not occur for the tenant:%{SPACE}%{GREEDYDATA:tenant_value}"
]
}
overwrite => ["message"]
}
}
}
I run logstash as service
[root@hostname file]# cat /etc/systemd/system/logstash.service
[Unit]
Description=logstash service
[Service]
Type=simple
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/logstash-8.10.0/bin/logstash "-f" "/usr/share/logstash/logstash-8.10.0/conf.d"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
When never I restart one log line getting indexed. But when I run in debug mode it does emit all the logs.
I do not see anything wrong in your linux configuration, just the fact that you are running logstash as the root user in the service, which is not recommended and it may be a security issue.
Not sure what you mean with that, can you explain?
Also, if logstash already read lines of a file, it will not read those lines again, only new lines.
Thanks @leandrojmp I use latest logstash 8.10.0.
When I stdout the logs I could see many log lines ( I mean event/document)
But in ES I could see only one event
How do I verify if the logs are been sent from logstash-> ELK
Is this when you run in the service mode or the process?
When you run as the command, LS run under that the logged in user. The service mode is under the logstash user. If is this case, that means your the name.conf file doesn't have proper rights.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.