Logstash not parsing logs

vgupta0308 · June 20, 2017, 7:08pm

Hello,

We have created the Logstash config for parsing the bro ids logs which is not working. Below is the output of log file:

[2017-06-20T17:25:16,966][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x7be6d418 URL:http://localhost:9220/>}
[2017-06-20T17:25:16,969][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2017-06-20T17:25:17,014][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2017-06-20T17:25:17,018][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x758a9fe0 URL://localhost:9220>]}
[2017-06-20T17:25:17,214][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2017-06-20T17:25:17,481][INFO ][logstash.pipeline ] Pipeline main started
[2017-06-20T17:25:17,528][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

The Logs are being parsed if we use the following command:

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/ --path.settings /etc/logstash --debug

The Logstash version is 5.3 and log in through root user. We are not using filebeat here. Simply, using input file where the path of the file is stated.

Please assist.

Thanks,

Vinay Gupta

magnusbaeck · June 21, 2017, 6:15am

Does the logstash user have permission to access the log files? If you increase the logging verbosity you'll get clues about this. Look for "discover" or "glob" in the log.

system · July 19, 2017, 6:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble with template and field mapping Elasticsearch	3	593	July 5, 2017
Configuring the new logstash version - issues on the output Elasticsearch template for the mapping of my logs Logstash	10	661	July 4, 2019
Logstash not sending logs to elastic Logstash	9	2963	April 9, 2018
Not getting parsed logs to Elasticsearch but able to see in logstash Elasticsearch	1	398	October 4, 2018
Breaking Changes With Logstash 6.0 Logstash	2	431	February 18, 2018

Logstash not parsing logs

Related topics