Hello everyone I use logstash to read the json file and ingest data into index in Elasticsearch. But it works fine when run the command of /bin/logstash -f /etc/logstash/conf.d/log.test. But when I start it as service with systemctl start logstash.service I dont see any data in kibana. I also checked the /var/log/logstash there is no error. can any one help me out I will attach my config file and logs
input {
file {
path => "/var/ossec/logs/alerts/alerts.json"
codec => json
start_position => "end"
}
}
filter {
if [rule][id] != "100100" { drop{ } }
}
output {
stdout { codec => rubydebug }
Elasticsearch {
hosts => "https://127.0.0.1:9200"
user => "username"
password => "password"
cacert => "/etc/logstash/conf.d/Elasticsearch.pem"
index => "syslog-%{+dd.MM.YYYY}"
template => "/etc/logstash/conf.d/wazuh-template.json"
template_name => "syslog-wazuh"
}
}
[2021-11-11T12:42:08,030][WARN ][logstash.runner ] SIGTERM received. Shutting down.
[2021-11-11T12:42:08,194][INFO ][filewatch.observingtail ] QUIT - closing all files and shutting down.
[2021-11-11T12:42:09,775][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2021-11-11T12:42:10,313][INFO ][logstash.runner ] Logstash shut down.
[2021-11-11T12:42:29,060][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.10.2", "jruby.version"=>"jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 11.0>[2021-11-11T12:42:30,382][INFO ][org.reflections.Reflections] Reflections took 48 ms to scan 1 urls, producing 23 keys and 47 values
[2021-11-11T12:42:30,929][INFO ][logstash.outputs.Elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[https://wazuh:xxxxxx@127.0.0.1:9200/]}}
[2021-11-11T12:42:31,135][WARN ][logstash.outputs.Elasticsearch][main] Restored connection to ES instance {:url=>"https://wazuh:xxxxxx@127.0.0.1:9200/"}
[2021-11-11T12:42:31,160][INFO ][logstash.outputs.Elasticsearch][main] ES Output version determined {:es_version=>7}
[2021-11-11T12:42:31,162][WARN ][logstash.outputs.Elasticsearch][main] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>7}
[2021-11-11T12:42:31,172][WARN ][logstash.outputs.Elasticsearch][main] DEPRECATION WARNING: Connecting to an OSS distribution of Elasticsearch using the default distribution of Logstash will stop worki>[2021-11-11T12:42:31,187][INFO ][logstash.outputs.Elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::Elasticsearch", :hosts=>["https://127.0.0.1:9200"]}
[2021-11-11T12:42:31,221][INFO ][logstash.outputs.Elasticsearch][main] Using mapping template from {:path=>"/etc/logstash/conf.d/wazuh-template.json"}
[2021-11-11T12:42:31,237][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_i>[2021-11-11T12:42:31,287][INFO ][logstash.outputs.Elasticsearch][main] Index Lifecycle Management is set to 'auto', but will be disabled - Index Lifecycle management is not installed on your Elasticsea>[2021-11-11T12:42:31,288][INFO ][logstash.outputs.Elasticsearch][main] Attempting to install template {:manage_template=>{"order"=>0, "index_patterns"=>["syslog-*"], "settings"=>{"index.refresh_interva>[2021-11-11T12:42:31,955][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.71}
[2021-11-11T12:42:32,114][INFO ][logstash.inputs.file ][main] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_b6991da>[2021-11-11T12:42:32,135][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2021-11-11T12:42:32,194][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2021-11-11T12:42:32,178][INFO ][filewatch.observingtail ][main][98a66028183f0c54ee7601107f61bea50bf64bad9eb20cd377c63c705ea7e850] START, creating Discoverer, Watch with file and sincedb collections
[2021-11-11T12:42:32,335][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}