Logstash not parsing logs

vgupta0308 · June 20, 2017, 7:08pm

Hello,

We have created the Logstash config for parsing the bro ids logs which is not working. Below is the output of log file:

[2017-06-20T17:25:16,966][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x7be6d418 URL:http://localhost:9220/>}
[2017-06-20T17:25:16,969][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2017-06-20T17:25:17,014][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2017-06-20T17:25:17,018][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x758a9fe0 URL://localhost:9220>]}
[2017-06-20T17:25:17,214][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2017-06-20T17:25:17,481][INFO ][logstash.pipeline ] Pipeline main started
[2017-06-20T17:25:17,528][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

The Logs are being parsed if we use the following command:

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/ --path.settings /etc/logstash --debug

The Logstash version is 5.3 and log in through root user. We are not using filebeat here. Simply, using input file where the path of the file is stated.

Please assist.

Thanks,

Vinay Gupta

magnusbaeck · June 21, 2017, 6:15am

Does the logstash user have permission to access the log files? If you increase the logging verbosity you'll get clues about this. Look for "discover" or "glob" in the log.

system · July 19, 2017, 6:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.