Logstash not reading files

debarun · September 12, 2016, 10:00am

Hi,

I have a logstash installation, and it suddenly has stopped reading from files. The sincedb_path is created but files are not read. I have tried only stdin and stdout, and that works

Below is the config file:-
input {
file {
path => "/apps/elk/rawfiles/hostd.log"
start_position => beginning
sincedb_path => '/opt/logstash/hostd.db'
sincedb_write_interval => 0
type => 'hostdlog'
}
}

filter {

multiline {
patterns_dir => [ "/etc/logstash/conf.d/pattern" ]
pattern => "%{DATE_YMD}"
negate => true
what => "previous"
}

grok {
patterns_dir => [ "/etc/logstash/conf.d/pattern" ]
match => [ "message","%{DATE_YMD:logdate}T%{TIME:logtime}Z [%{DATA}](?<log_message>.*$)" ]

mutate { replace => [ "message", "%{log_message}" ] }

}

output {

                                                                    elasticsearch  {
                                                                    hosts => ["localhost:9200"]
                                                                    index => 'hostd'
                                                                    }
                                                                    stdout {
                                                                                    codec => rubydebug
                                                                                    }

            }

Regards,
Debarun.

magnusbaeck · September 12, 2016, 10:45am

If the input file is older than 24 hours you need to adjust the file input's ignore_older option. If that doesn't help, what's in the sincedb file? Does Logstash think it has reached the end of the file?

debarun · September 12, 2016, 11:39am

Thanks Magnus. The ignore_older option worked like a charm.