Hello,
Suddenly logstash is not creating an index in ES. And I'm seeing errors like this in the debug output of logstash:
JSON parse failure. Falling back to plain-text {:error=>#<LogStash::Json::ParserError: Unexpected character ('-' (code 45)): Expected space separating root-level values
at [Source: [B@267c9565; line: 1, column: 6]>, :data=>"2016-04-08 18:40:27 [I] processing report for logs.jokefire.com", :level=>:error, :file=>"logstash/codecs/json.rb", :l
ine=>"67", :method=>"legacy_parse"}
And I'm also seeing these errors as well:
Beats input: the pipeline is blocked, temporary refusing new connection. {:reconnect_backoff_sleep=>0.5, :level=>:warn, :file=>"logstash/inputs/beats.rb", :line=>"164", :method=>"run"}
Beats input: the pipeline is blocked, temporary refusing new connection. {:reconnect_backoff_sleep=>0.5, :level=>:warn, :file=>"logstash/inputs/beats.rb", :line=>"164", :method=>"run"}
The configs had been in place both for logstash and beats, and everything was working fine. But now I just went to restart logstash after fixing a disk space issue. And those errors started popping up and now it won't create it's index.
Here's my configs:
cat 10-logstash-input.conf
input {
beats {
port => 5000
tags => "beats"
codec => "json"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
ssl_key => "/etc/pki/tls/private/logstash.key"
congestion_threshold => 10
}
syslog {
type => "syslog"
port => "5514"
}
#redis {
#host => "216.120.248.98"
#type => "redis-input"
#data_type => "list"
#key => "logstash"
#}
}
root@logs:/etc/logstash/conf.d] #cat 10-logstash-input.conf
input {
beats {
port => 5000
tags => "beats"
codec => "json"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
ssl_key => "/etc/pki/tls/private/logstash.key"
congestion_threshold => 10
}
syslog {
type => "syslog"
port => "5514"
}
#redis {
#host => "216.120.248.98"
#type => "redis-input"
#data_type => "list"
#key => "logstash"
#}
}
#cat 30-logstash-output.conf
output {
elasticsearch {
hosts => ["xx.xx.xx.xx", "xx.xx.xx.xx", "xx.xx.xx.xx"]
index => "logstash-%{+YYYY.MM.dd}"
user => "ls_user"
password => "secret"
}
# Alerting
if [log_message] == "POSSIBLE BREAK-IN ATTEMPT!" {
email {
body => "Triggered in: %{message}"
subject => "This is a Logstash alert for POSSIBLE BREAK-IN ATTEMPTS!"
from => "logstash.alert@jokefire.com"
to => "admin@example.com"
via => "sendmail"
}
}
}
Filter file appears in the reply since it's too long for this post,
Any ideas on why this isn't working?
Thanks