Logstash not creating index in secure(https) kibana

Elastic Stack Logstash
1

This is my logstash log using journalctl -b 0 -r

Aug 25 11:33:18 elastic.sys systemd[1]: Started logstash.
Aug 25 11:33:18 elastic.sys systemd[1]: Stopped logstash.
Aug 25 11:33:18 elastic.sys systemd[1]: logstash.service holdoff time over, scheduling restart.
Aug 25 11:33:18 elastic.sys systemd[1]: logstash.service failed.
Aug 25 11:33:18 elastic.sys systemd[1]: Unit logstash.service entered failed state.

This my conf file

input {
udp {
port => 5044
type => 'syslog'
}
}
output {
  elasticsearch {
ilm_enabled => false
    hosts => ['https://elastic.sys:9200']
    cacert => '/etc/logstash/certs/ca.crt'
    user => 'logstash_writer'
    password => 'QGqqEqLxtCfA1OsZgYQA'
      index => 'syslog'
}
}
2

i think you will need to check the actual Logstash logs.

3 
[root@elastic ~]# tail /var/log/logstash/logstash-plain.log 
[2021-08-24T15:20:49,553][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.14.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[2021-08-24T15:20:51,620][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/logstash/conf.d/*.conf"}
[2021-08-24T15:20:51,634][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
[2021-08-24T15:20:51,839][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2021-08-24T15:20:56,999][INFO ][logstash.runner          ] Logstash shut down.
[2021-08-24T15:20:57,026][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.19.0.jar:?]
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.19.0.jar:?]
	at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/bootstrap/environment.rb:89) ~[?:?]

This is actual logstash logs but these logs are yesterday's logs,today it is not updating logs in this file

4

Any one please help me

5

That seems relevant. Have you checked this?

6

I have configured path in logstash.yml

# pipeline.ordered: auto
#
# ------------ Pipeline Configuration Settings --------------
#
# Where to fetch the pipeline configuration for the main pipeline
#
  path.config: /etc/logstash/conf.d/*.conf

and location of config file is

[root@elastic logstash]# cd conf.d/
[root@elastic conf.d]# ls
syslog.conf
[root@elastic conf.d]#
7

please any one help me

8

You appears to have path.config indented in logstash.yml, it probably should not be indented. Otherwise, it is most likely a permissions error, where the user running logstash cannot read the files in that directory.

9

This is my logstash directory file permission

[root@elastic logstash]# ls -l
total 36
drwxr-xr-x. 2 root root    60 Aug 23 16:39 certs
drwxr-xr-x. 2 root root    25 Aug 28 17:55 conf.d
-rw-r--r--. 1 root root  2034 Jul 30 01:29 jvm.options
-rw-r--r--. 1 root root  7437 Jul 30 01:29 log4j2.properties
-rw-r--r--. 1 root root   342 Jul 30 01:29 logstash-sample.conf
-rw-r--r--. 1 root root 11272 Aug 28 16:50 logstash.yml
-rw-r--r--. 1 root root   284 Aug 28 17:39 pipelines.yml
-rw-------. 1 root root  1696 Jul 30 01:29 startup.options

When i comment path config in logstash.yml this error shown

[root@elastic logstash]# service logstash status
Redirecting to /bin/systemctl status logstash.service
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-08-30 10:57:35 IST; 17s ago
 Main PID: 12335 (java)
   CGroup: /system.slice/logstash.service
           └─12335 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-...

Aug 30 10:57:35 elastic.sys systemd[1]: Stopped logstash.
Aug 30 10:57:35 elastic.sys systemd[1]: Unit logstash.service entered failed state.
Aug 30 10:57:35 elastic.sys systemd[1]: logstash.service failed.
Aug 30 10:57:35 elastic.sys systemd[1]: Started logstash.
Aug 30 10:57:35 elastic.sys logstash[12335]: Using bundled JDK: /usr/share/logstash/jdk
Aug 30 10:57:35 elastic.sys logstash[12335]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Aug 30 10:57:43 elastic.sys logstash[12335]: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/bundler-1.17.3/lib/bundler/rubygems_integration.rb:200: warning: constant Gem::ConfigMap is deprecated
10

hello sir,
If you have document related to how to secure ELK stack in centos 7 then please provide me .
i followed this website step by step and tried multiple times but always getting error please suggest me .

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.