If I start the logstash service using service or systemctl, it starts and reports as running but produces no output that is seen by elasticsearch.
On the other hand, if I run logstash using
./bin/logstash -f /etc/logstash/conf.d/
it logs to the console and is picked up by elasticsearch
What am I missing?
Okay, I seem to have fixed this. There were a couple or three problems:
/etc/systemd/system/logstash.service,ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/usr/share/logstash/config"
then
sudo systemctl daemon-reload
The logging directory, /var/log/logstash was root:root and the logs therein were logstash:root so I chown'd both to logstash:logstash
Logstash was trying to listen on 514 & 5514 which didn't work as the logstash user (no permission) so I used iptables to forward 514 to 5514, viz:
sudo iptables -N PREROUTING
sudo iptables -t nat -A PREROUTING -p UDP -m udp --dport 514 -j REDIRECT --to-ports 5514
sudo iptables -t nat -A PREROUTING -p TCP -m tcp --dport 514 -j REDIRECT --to-ports 5514
iptables-save
I think that was all.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.