Logstash.stdout

pierrejnelson · March 22, 2016, 7:54pm

Would anyone happen to know what makes this file. I need to move it to where I have all my space but I can't seem to find it.

magnusbaeck · March 22, 2016, 8:47pm

A correctly configured Logstash should produce a very small /var/log/logstash.stdout. Have a look in your init script. The init scripts that ship with Logstash's RPM and Debian packages lets the newly started Logstash daemon write to logstash.stdout until it switches over to its own log file.

pierrejnelson · March 22, 2016, 9:45pm

I found where to change it at but this how big this has gotten in an hour

corp-netlog-live01:/data/log/logstash # ls -ltrh
total 1.7G
-rw-r--r-- 1 root root 0 Mar 22 15:40 logstash.err
-rw-r--r-- 1 logstash logstash 799K Mar 22 16:30 logstash.log
-rw-r--r-- 1 root root 1.7G Mar 22 16:44 logstash.stdout

warkolm · March 22, 2016, 10:26pm

Have a look at it, what's in there?

pierrejnelson · March 23, 2016, 12:31pm

corp-netlog-live01:/data/log/logstash # ls -ltrh
total 15G
-rw-r--r-- 1 root root 0 Mar 22 15:40 logstash.err
-rw-r--r-- 1 logstash logstash 3.0M Mar 23 07:22 logstash.log
-rw-r--r-- 1 root root 15G Mar 23 07:28 logstash.stdout

This is what I seen in there.

{
"message" => [
[0] "Mar 23 07:30:26 xxx.xxx.xxx.xxx %FWSM-6-303002: xxx.xxx.xxx.xxx Retrieved xxx.xxx.xxx.xxx20160221",
[1] " xxx.xxx.xxx.xxx Retrieved xxx.xxx.xxx.xxx:20160221"
],
"@version" => "1",
"@timestamp" => "2016-03-23T12:30:26.000Z",
"type" => "syslog",
"file" => "/var/log/remote/full-feed/full-feed.log",
"host" => "#########",
"offset" => "2733054399",
"timestamp" => "Mar 23 07:30:26",
"logsource" => "xx.xx.xx.xx",
"program" => "%FWSM-6-303002"
}

corp-netlog-live01:/data/log/logstash # tail -5 logstash.log
{:timestamp=>"2016-03-23T07:32:51.525000-0500", :message=>"retrying failed action with response code: 429", :level=>:warn}
{:timestamp=>"2016-03-23T07:32:51.526000-0500", :message=>"retrying failed action with response code: 429", :level=>:warn}
{:timestamp=>"2016-03-23T07:32:51.526000-0500", :message=>"retrying failed action with response code: 429", :level=>:warn}
{:timestamp=>"2016-03-23T07:32:51.527000-0500", :message=>"retrying failed action with response code: 429", :level=>:warn}
{:timestamp=>"2016-03-23T07:32:51.527000-0500", :message=>"retrying failed action with response code: 429", :level=>:warn}

magnusbaeck · March 23, 2016, 1:48pm

It looks like you have a stdout { codec => rubydebug } output in your configuration. Perhaps you should remove it.

pierrejnelson · March 23, 2016, 1:51pm

That fixed it

Sending logstash logs to /data/log/logstash/logstash.log.

Thank you so much for your help.