Hi Guys, I have installed logstash 6.2.4 with rpm way but it did not linked to /etc/init.d or neither works as as a service method in Centos 6.8..
However for logstash everything runs fine but while checking for config test it shows that document_type has been deprecated in the 6.x, below are the output attched..
# /usr/share/logstash/bin/logstash -f logstash-syslog.conf -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-06-19 22:35:08.051 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2018-06-19 22:35:08.058 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2018-06-19 22:35:08.401 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[WARN ] 2018-06-19 22:35:09.785 [LogStash::Runner] elasticsearch - You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch hosts=>[//my-elk:9200], index=>"syslog-%{+YYYY.MM.dd}", document_type=>"messages", id=>"7dc2fdd03a18379a803131d25de92008a8bd9543eb1779a22e415522257f09de", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_ae0d4c91-89cc-43eb-8484-ca60b6f5bce9", enable_metric=>true, charset=>"UTF-8">, workers=>1, manage_template=>true, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
Configuration OK
[INFO ] 2018-06-19 22:35:09.790 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
[root@my-elk conf.d]#
[root@my-elk conf.d]# /usr/share/logstash/bin/logstash -V
logstash 6.2.4
My logstash file:
# cat logstash-syslog.conf
input {
file {
path => [ "/scratch/rsyslog/*/messages.log" ]
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
#if "automount" in [message] or "ldap" in [message] {
elasticsearch {
hosts => "my-elk:9200"
index => "syslog-%{+YYYY.MM.dd}"
document_type => "messages"
}
# stdout {}
#}
}