I'm using 2 fresh ubuntu 16.04 vms with 16G of ram. I just installed logstash (5.6.4) and java (1.8) and setup the following filter::
filter {
if "oslofmt" in [tags] {
multiline {
negate => true
pattern => "^%{TIMESTAMP_ISO8601} "
what => "previous"
stream_identity => "%{host}.%{filename}"
}
multiline {
negate => false
pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}%
{SPACE}(TRACE|ERROR)"
what => "previous"
stream_identity => "%{host}.%{filename}"
}
grok {
match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%
{SPACE}%{NUMBER:pid}?%{SPACE}?(?
<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \
[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%
{GREEDYDATA:logmessage}?" }
add_field => { "received_at" => "%{@timestamp}" }
}
}
}
Logstash complains about missing the multiline plugin and codec so I installed them both via the following as root
/usr/share/logstash/bin/logstash-plugin install logstash-filter-multiline logstash-codec-multiline
From here logstash complains ::
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: Errno::EACCES: Permission denied - /usr/share/logstash/vendor/bundle/jruby/1.9/specifications/logstash-filter-multiline-3.0.4.gemspec
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: initialize at org/jruby/RubyFile.java:370
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: open at org/jruby/RubyIO.java:1197
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: open at org/jruby/RubyKernel.java:325
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: data at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/stub_specification.rb:75
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: valid? at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/stub_specification.rb:178
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each_stub at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:731
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each_gemspec at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:723
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each at org/jruby/RubyArray.java:1613
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each_gemspec at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:722
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each at org/jruby/RubyArray.java:1613
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each_gemspec at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:721
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: each_stub at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:729
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: stubs at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:748
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: find_inactive_by_path at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/specification.rb:936
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: try_activate at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems.rb:187
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: require at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:126
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: setup! at /usr/share/logstash/lib/bootstrap/bundler.rb:57
Nov 09 22:59:24 prod-ss-logstashvm-02 logstash[1683]: (root) at /usr/share/logstash/lib/bootstrap/environment.rb:67
Nov 09 22:59:24 prod-ss-logstashvm-02 systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE
Nov 09 22:59:24 prod-ss-logstashvm-02 systemd[1]: logstash.service: Unit entered failed state.
Nov 09 22:59:24 prod-ss-logstashvm-02 systemd[1]: logstash.service: Failed with result 'exit-code'.
Nov 09 22:59:25 prod-ss-logstashvm-02 systemd[1]: logstash.service: Service hold-off time over, scheduling restart.
Nov 09 22:59:25 prod-ss-logstashvm-02 systemd[1]: Stopped logstash.
-- Subject: Unit logstash.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit logstash.service has finished shutting down.
Nov 09 22:59:25 prod-ss-logstashvm-02 systemd[1]: logstash.service: Start request repeated too quickly.
Nov 09 22:59:25 prod-ss-logstashvm-02 systemd[1]: Failed to start logstash.
-- Subject: Unit logstash.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit logstash.service has failed.
--
looking at the permissions of the file compared to the rest in the directory::
-rw-rw-r-- 1 logstash logstash 1.7K Oct 31 20:12 logstash-filter-json-3.0.4.gemspec
-rw-rw-r-- 1 logstash logstash 1.6K Oct 31 20:12 logstash-filter-kv-4.0.2.gemspec
-rw-rw-r-- 1 logstash logstash 1.9K Oct 31 20:12 logstash-filter-metrics-4.0.4.gemspec
-rw-r----- 1 root root 2.2K Nov 9 22:49 logstash-filter-multiline-3.0.4.gemspec
-rw-rw-r-- 1 logstash logstash 2.0K Oct 31 20:12 logstash-filter-mutate-3.1.6.gemspec
-rw-rw-r-- 1 logstash logstash 1.8K Oct 31 20:12 logstash-filter-ruby-3.0.4.gemspec
-rw-rw-r-- 1 logstash logstash 1.6K Oct 31 20:12 logstash-filter-sleep-3.0.5.gemspec
we can see that it gets installed as root with 640 instead of 644 and without logstash ownership. These are not the only files it seems to break. I can't seem to start logstash anymore without it complaining about missing plugins now.
Is this no longer the proper way to install plugins?