Logstash not reading file when started as a service

obudiman · August 25, 2016, 1:56am

We have the following logstash configuration file which has been tested successfully using the configtest option,

input {
        file {
                path => "/etc/httpd/logs/clickstream.log"
        }
}

filter {
        grok { match => { "message" => "%{COMBINEDAPACHELOG} (?<cookie>[\w\W]*) (?<pageLoadTime>[\d]*)" } }

        date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ] }

        geoip {
                source => "clientip"
                target => "geoip"
                database => "/etc/logstash/GeoLiteCity.dat"
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate { convert => [ "[geoip][coordinates]", "float"] }
        mutate { add_field => { "map_location" => "%{[geoip][latitude]},%{[geoip][longitude]}" } }

        urldecode { field => "referrer" }

        useragent {
                source => "agent"
                target => "useragent"
        }

        mutate { add_field => { "browser_name" => "%{[useragent][name]} %{[useragent][major]}" } }
}

output {
  elasticsearch {
    hosts => ["http://10.0.0.163:9200"]
    manage_template => false
    index => "epicon-rp_wiki-%{+YYYY.MM.dd}"
    document_type => "page_performance"
  }
}

but when we started the logstash service, it does not seem to read any new content from the input file.

We can see the target file has been updated with new content and the logstash user has the read permission.

Somehow it works just fine if we start the logstash process manually as follow,

bin/logstash -f /etc/logstash/conf.d/rp_wiki.conf

We only have one configuration file as above.

We've also tried to remove the .sincedb* file but it still won't parse the input file.

There's no warn or error from the logstash.log, so not really sure what went wrong here.

Logstash 2.3.5 on redhat.

Appreciate any suggestion,

magnusbaeck · August 25, 2016, 5:50am

Does the logstash user have permissions to read the file? Enable verbose logging (typically via /etc/default/logstash or /etc/sysconfig/logstash) and search for log entries containing "discover".

Also, if the input file is older than 24 hours you need to adjust the file input's ignore_older option.

lrem006 · August 25, 2016, 12:33pm

magnusbaeck, could you please explicitly describe how to enable verbose logging in the logstash configuration file?

magnusbaeck · August 25, 2016, 12:59pm

Have you installed Logstash via an RPM package, a Debian package, or by other means?

lrem006 · August 25, 2016, 1:28pm

Installed as an rpm package, sorry forgot to specify

magnusbaeck · August 25, 2016, 1:36pm

Then change

#LS_OPTS=""

to

LS_OPTS="-v"

in /etc/sysconfig/logstash.

lrem006 · August 25, 2016, 1:46pm

Thank you, this is helpful; for some reason I couldn't find this online.

obudiman · August 25, 2016, 11:36pm

Found out we're missing a read permission for logstash user on one of the parent directory containing the file.

Thanks for the suggestion!