Logstash service exits when it gets log

BrunoC · May 10, 2017, 10:07am

I use ELK stack to monitor logs from pfSense but I have a problem. As soon as I enable the remote logs on pfSense, Logstash stops, the service status is : active (exited).

The last logs from logstash.log :

{:timestamp=>"2017-05-09T12:15:44.940000+0200", :message=>"SIGTERM received. Shutting down the pipeline.",           :level=>:warn}
{:timestamp=>"2017-05-09T12:15:45.328000+0200", :message=>"UDP listener died", :exception=>#<IOError: closed stream>, :backtrace=>["org/jruby/RubyIO.java:3682:in `select'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:77:in `udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:50:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:334:in `inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:328:in `start_input'"], :level=>:warn}

logs from logstash.err :

Errno::EACCES: Permission denied - /logs/log-2017-05-09.log
        initialize at org/jruby/RubyFile.java:370
               new at org/jruby/RubyIO.java:853
              open at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-file-2.2.5/lib/logstash/outputs/file.rb:264
       write_event at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-file-2.2.5/lib/logstash/outputs/file.rb:162
              call at org/jruby/RubyProc.java:281
            encode at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-2.1.3/lib/logstash/codecs/json_lines.rb:48
           receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-file-2.2.5/lib/logstash/outputs/file.rb:129
     multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/outputs/base.rb:83
              each at org/jruby/RubyArray.java:1613
     multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/outputs/base.rb:83
worker_multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/output_delegator.rb:130
     multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/output_delegator.rb:114
      output_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:293
              each at org/jruby/RubyHash.java:1342
      output_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:293
       worker_loop at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:224
     start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193

BrunoC · May 10, 2017, 10:24am

I found out that it's the file output part of logstash conf file that doesn't work. How to give the rights to Logstash to write into /logs?

Xavy · May 10, 2017, 1:04pm

Hello:

Which are the permissions of such a folder. Which owner and ghroup? Have you thought about adding elasticsearch user to such a group ?

system · June 7, 2017, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.