Hi
I have configured an elasticsearch cluster with 4 nodes (3 are master/data nodes, and 1 is a coordinating node).
In the coordinating node i have logstash and kibana. But i'm cannot make logstash to read files from input plugin, i have copied the configuration from other server where it works, and as it didnt work in the new server i have simplified it but still not working. In logstash logs there no error message.
logstash configuration is
1010_input_file.conf:
input{
file {
path => "/opt/audit_logs_modsec/XX/20171231/20171231-2356/*"
sincedb_path => "/dev/null"
mode => read
ignore_older => 0
start_position => "beginning"
type => "mod_security"
codec => multiline {
charset => "US-ASCII"
pattern => "^--[a-fA-F0-9]{8}-Z--$"
negate => true
what => previous
}
}
}
3000_output.conf:
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["https://192.168.90.103:9200"]
cacert => '/etc/logstash/config/certs/ca.crt'
ssl => true
user => "elastic"
password => "XXXX"
index => "modsecurity_%{+YYYY.MM.dd}"
}
}
Any idea what might be wrong?
in this configuration i have elk 7.4, in my previous server i had 7.3.
I have used XX to hide certain information, if anyone intereseted i can email de logstash log.
thanks