Logstash not creating index on elasticsearch

dbElastic · April 12, 2017, 11:39am

Hello,
I have ElasticSearch and Logstash installed on same machine(Ubuntu).
I have the below apache_logs.conf file contents:

input {
file {
path => "/var/log/apache_logs"
type => "apache_log" # a type to identify those logs (will need this later)
start_position => "beginning"
}
}

filter {
grok {
match=> { message => "%{COMBINEDAPACHELOG}" }
}
date {
locale => "en"
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
stdout { }
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "myLogs"

}

The command --> sudo service logstash configtest returns "Configuration OK"
The log file is placed in "/var/log/apache_logs"
However, indices are not getting created in elasticsearch and hence not reflected in kibana.
Could you please point out if I have missed out on any settings.

magnusbaeck · April 12, 2017, 1:16pm

So /var/log/apache_logs is a directory rather than a file? Point directly to the file, or a wildcard that includes the file you want to read.

dbElastic · April 13, 2017, 3:36am

Hello,
Thank you for the response. I mentioned path as /var/log/apache_logs wherein apache_logs is the name of the log file.

magnusbaeck · April 13, 2017, 7:12am

Okay. Logstash is probably tailing the file. In that case clearing the sincedb file will help. Please read the file input documentation and check the numerous posts about this in the past. Increasing Logstash's log level will give more clues about what it's doing.

dbElastic · April 19, 2017, 12:30pm

Okay, so I used the below in the file block:
file {
path => "/var/log/apache_logs"
type => "apache_log" # a type to identify those logs (will need this later)
start_position => "beginning"
sincedb_path => "/dev/null" #to clear since db
}

and it worked!
Thank you

system · May 17, 2017, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.