Logstash Runs And Does Nothing

Elastic Stack Logstash
1

Hi there,

I have simple file input/output logstash pipeline. Logstash runs but does nothing. There is no output. In logstash log file only suspicious thing is this "One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu". Just in case i check my input folder there is several log file there. I cleared data folder as well. But nothing happens.

I'm using windows 10, logstash 7.12.0

Here is my .conf file

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input{
	file{
		path => "D:/Logs/*.log"
		start_position => "beginning"
		ignore_older => 0
	}
}

filter {
  grok{
	match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:gereksiz}\] %{LOGLEVEL:log-level} %{DATA:gereksiz2} \[%{DATA:gereksi3}\] %{DATA:gereksiz4}%{DATA:gereksiz5}- (?<TranDate>([TranDate]*=[a-zA-Z0-9\- : \/]*))(?<Message>([|Message]*=[a-zA-Z0-9\- : \/]*))(?<HasException>([|HasException]*=[a-zA-Z0-9\- : \/]*))(?<ExceptionMessage>([|ExceptionMessage]*=[a-zA-Z0-9\- : \/]*))(?<CommunicationKey>([|CommunicationKey]*=[a-zA-Z0-9\- : \/]*))(?<BusinessKey>([|BusinessKey]*=[a-zA-Z0-9\- : \/]*))(?<ResourceCode>([|ResourceCode]*=[a-zA-Z0-9\- : \/]*))(?<ResourceId>([|ResourceId]*=[a-zA-Z0-9\- : \/]*))(?<ActionId>([|ActionId]*=[a-zA-Z0-9\- : \/]*))(?<TranBranchId>([|TranBranchId]*=[a-zA-Z0-9\- : \/]*))(?<ChannelId>([|ChannelId]*=[a-zA-Z0-9\- : \/]*))(?<LanguageId>([|LanguageId]*=[a-zA-Z0-9\- : \/]*))(?<UserName>([|UserName]*=[a-zA-Z0-9\- : \/]*))(?<HostName>([|HostName]*=[a-zA-Z0-9\- : \/]*))(?<HostIP>([|HostIP]*=[a-zA-Z0-9\- : \/]*))(?<ServerName>([|ServerName]*=[a-zA-Z0-9\- : \/]*))(?<ApplicationSide>([|ApplicationSide]*=[a-zA-Z0-9\- : \/]*))(?<SystemDate>([|SystemDate]*=[a-zA-Z0-9\- : \/]*))" }
  }
  date {
	match => [ "timestamp", "ISO8601" ]
	}
}

output {
    stdout {
		codec => rubydebug
	}
    file {
        path => "D:/Logstash/output.txt"
    }
}
2

In Filebeat, setting ignore_older to zero disables age-based filtering.

In logstash, setting ignore_older to zero tells the file input to ignore any files more than zero seconds old, which usually means it ignores everything.

The file will have been added to the sincedb but I believe it will have been added with a size of zero, so if you restart logstash without the ignore_older option it will likely read it. If not, you may have to add sincedb_path => "NUL" and restart again.

3

Thanks that worked! I should have misunderstand how ignore_older works.
I deleted it and it worked as i expected.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.