Hey everyone!
I'm struggling with logstash running as a service. I have a couple of config files in /etc/logstash/conf.d/ and when I run my config by running this bin/logstash -f /etc/logstash/conf.d/my.conf --path.settings /etc/logstash command in CLI logstash works properly and sends logs to the output well parsed. Unfortunately, when I run logstash as service with systemctl start logstash it doesn't send any data to output and no errors are shown and seems to work correct.
My .conf file:
input {
beats {
port => 5044
}
}
filter {
if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
remove_field => ["beat"]
remove_field => ["prospector"]
remove_field => ["source"]
remove_field => ["host"]
}
}
if "tag" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{HOSTNAME:host} nginx\: %{IPORHOST:clientip} %{HTTPDUSER} %{USER} \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} %{DATA} %{DATA}\" \(h=%{NOTSPACE:referrer} %{GREEDYDATA}"
}
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{HOSTNAME:host} nginx\: %{IPORHOST:clientip} %{HTTPDUSER} %{EMAILADDRESS} \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} %{DATA} %{DATA}\" \(h=%{NOTSPACE:referrer} %{GREEDYDATA}"
}
}
grok {
match => { "referrer" => "%{WORD:protocol}://%{NOTSPACE:domain3}\.%{NOTSPACE:domain2}\.%{WORD:domain1}:%{INT:port}"
}
}
geoip {
source => "clientip"
add_field => {"longitude" => "%{[geoip][longitude]}"
"latitude" => "%{[geoip][latitude]}"
"timezone" => "%{[geoip][timezone]}"
"ip" => "%{[geoip][ip]}"
"continent_code" => "%{[geoip][continent_code]}"
"region_name" => "%{[geoip][region_name]}"
"postal_code" => "%{[geoip][postal_code]}"
"country_name" => "%{[geoip][country_name]}"
"region_code" => "%{[geoip][region_code]}"
"country_code3" => "%{[geoip][country_code3]}"
"geohash" => "%{[geoip][location]}"
}
}
}
}
output {
if "tag" in [tags] {
stdout {codec => rubydebug}
influxdb {
host => "host"
port => 8086
db => "logstash"
measurement => "test"
codec => "json"
use_event_fields_for_data_points => true
send_as_tags => ["response", "host", "domain3", "domain2", "domain1", "referrer", "port", "protocol"]
exclude_fields => ["@timestamp","timestamp","timestamp_object","timestamp_local","message","@version","geoip"]
}
}
}
logstash.service file:
[Unit]
Description=logstash
[Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384
# When stopping, how long to wait before giving up and sending SIGKILL?
# Keep in mind that SIGKILL on a process can cause data loss.
TimeoutStopSec=infinity
[Install]
WantedBy=multi-user.target
pipelines.yml file:
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
Filebeat works well without any problems so there is problem somewhere in logstash...
Any help is appreciated!! Thanks!