Logstash started but not fetching data

smdfilebeat · April 11, 2019, 3:42am

I successfully started my logstash, but its not getting any data from filebeat. Filebeat is running with no problem.

Steps I did so far:

Delete registry
Restart filebeat

Can someone please help me to debug? I tried going trough previous post about this but no help. Logstash log

>>>logstash -f logstashdev.conf
Sending Logstash logs to D:/Services/Logstash/logs which is now configured via 
log4j2.properties
[2019-04-10T21:58:30,492][WARN ][logstash.config.source.multilocal] Ignoring the 
'pipelines.yml' file because modules or command line options are specified
[2019-04-10T21:58:30,508][INFO ][logstash.runner          ] Starting Logstash 
{"logstash.version"=>"6.7.0"}
[2019-04-10T21:58:38,273][INFO ][logstash.pipeline        ] Starting pipeline { 
{:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, 
"pipeline.batch.delay"=>50}
[2019-04-10T21:58:38,858][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs 
updated {:changes=>{:removed=>[], :added=> 
[https://elastic:xxxxxx@xxx.aws.found.io:xxxx]}}
[2019-04-10T21:58:39,483][WARN ][logstash.outputs.elasticsearch] Restored connection to ES 
 instance {:url=>"https://elastic:xxxxxx@xxx:xxxx"}
[2019-04-10T21:58:39,686][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-04-10T21:58:40,037][INFO ][logstash.inputs.beats    ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2019-04-10T21:58:40,069][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x7e80ff run>"}
[2019-04-10T21:58:40,147][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-04-10T21:58:40,162][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2019-04-10T21:58:40,506][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Here's what is on my filebeat.yml

#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
    hosts: ["localhost:5044"]

A_B · April 11, 2019, 6:55am

Hi @smdfilebeat,

From the Logstash log you pasted above it does look like Logstash is running and listening on port 5044 and that is is connected to Elasticsearch.

Logstash does not fetch data from Filebeat. Filebeat has to send its data to Logstash.

Based on that log I would say Logstash is working as expected. How did you determine Logstash is not receiving any data from Filebeat?

smdfilebeat · April 11, 2019, 7:13am

Hello @A_B, Thank you for the quick response. 5044 is indeed my logstash port, my elastic is running on 9200 port.
Anyway, the issue was caused by my if else statement in the output part.
I also want to ask If I can have a wildcard data in if-else statements? or regex? Thank you so much!

system · May 9, 2019, 7:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.