Logstash stopped processing because of an error: (SystemExit) exit

when i run logstash on windows i get the following error

C:\logstash-8.1.0>.\bin\logstash.bat -f .\config\syslog.conf
Using LS_JAVA_HOME defined java: C:\Program Files\Java\jdk-17.0.2
WARNING: Using LS_JAVA_HOME while Logstash distribution comes with a bundled JDK.
Sending Logstash logs to C:/logstash-8.1.0/logs which is now configured via log4j2.properties
[2022-03-15T10:46:52,902][INFO ][logstash.runner          ] Log4j configuration path used is: C:\logstash-8.1.0\config\log4j2.properties
[2022-03-15T10:46:52,908][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 Java HotSpot(TM) 64-Bit Server VM 17.0.2+8-LTS-86 on 17.0.2+8-LTS-86 +indy +jit [mswin32-x86_64]"}
[2022-03-15T10:46:52,909][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-03-15T10:46:52,927][INFO ][logstash.settings        ] Creating directory {:setting=>"path.queue", :path=>"C:/logstash-8.1.0/data/queue"}
[2022-03-15T10:46:52,934][INFO ][logstash.settings        ] Creating directory {:setting=>"path.dead_letter_queue", :path=>"C:/logstash-8.1.0/data/dead_letter_queue"}
[2022-03-15T10:46:52,976][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-03-15T10:46:52,992][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"066a838d-f47a-45a9-86fd-45b73fb8d433", :path=>"C:/logstash-8.1.0/data/uuid"}
[2022-03-15T10:46:54,803][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"C:/logstash-8.1.0/config/syslog.conf"}
[2022-03-15T10:46:54,807][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
[2022-03-15T10:46:54,832][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-03-15T10:46:59,978][INFO ][logstash.runner          ] Logstash shut down.
[2022-03-15T10:46:59,987][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby.jar:?]
        at C_3a_.logstash_minus_8_dot_1_dot_0.lib.bootstrap.environment.<main>(C:\logstash-8.1.0\lib\bootstrap\environment.rb:94) ~[?:?]

[2022-03-15T10:46:54,803][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"C:/logstash-8.1.0/config/syslog.conf"}
[2022-03-15T10:46:54,807][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.

It says that no configuration was found.

What is the content of the file C:\logstash-8.1.0\config\syslog.conf?

syslog.conf

input {

  tcp {

    port => "1514"

    tags => ["heroku_syslog"]

  }

}

filter {

grok {

    match => {

      "message" => "%{SYSLOG5424PRI:pri}%{NUMBER:rfc_version} %{TIMESTAMP_ISO8601:timestamp} d.%{UUID:drain_id} %{WORD:app} %{USERNAME:dyno} - - %{GREEDYDATA:message}"

    }

    overwrite => ["message"]

    remove_field => ["pri", "rfc_version", "dyno", "timestamp", "syslog5424_pri"]

  }

if [message] = ~"^\{.*\}[\s\S]*$" {

    json {

      source => "message"

    }

mutate {

      add_tag => ["json"]

    }

}

}

output {

  elasticsearch {

    hosts => "https://interconomy.es.us-central1.gcp.cloud.es.io:9243"

    user => "elastic"

    password => "mipassowrd"

    index => "logs"

  }

}

i have new error now

Using LS_JAVA_HOME defined java: C:\Program Files\Java\jdk-17.0.2
WARNING: Using LS_JAVA_HOME while Logstash distribution comes with a bundled JDK.
Sending Logstash logs to C:/logstash-8.1.0/logs which is now configured via log4j2.properties
[2022-03-15T16:10:15,576][INFO ][logstash.runner          ] Log4j configuration path used is: C:\logstash-8.1.0\config\log4j2.properties
[2022-03-15T16:10:15,583][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 Java HotSpot(TM) 64-Bit Server VM 17.0.2+8-LTS-86 on 17.0.2+8-LTS-86 +indy +jit [mswin32-x86_64]"}
[2022-03-15T16:10:15,584][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-03-15T16:10:15,642][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-03-15T16:10:17,929][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-03-15T16:10:18,192][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"in\", \"not \", \"==\", \"!=\", \"<=\", \">=\", \"<\", \">\", \"=~\", \"!~\", \"and\", \"or\", \"xor\", \"nand\", \"{\" at line 15, column 14 (byte 419) after filter {\r\ngrok {\r\n    match => {\r\n      \"message\" => \"%{SYSLOG5424PRI:pri}%{NUMBER:rfc_version} %{TIMESTAMP_ISO8601:timestamp} d.%{UUID:drain_id} %{WORD:app} %{USERNAME:dyno} - - %{GREEDYDATA:message}\"\r\n    }\r\n    overwrite => [\"message\"]\r\n    remove_field => [\"pri\", \"rfc_version\", \"dyno\", \"timestamp\", \"syslog5424_pri\"]\r\n  }\r\nif [message] ", :backtrace=>["C:/logstash-8.1.0/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "C:/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "C:/logstash-8.1.0/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "C:/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:376:in `block in converge_state'"]}
[2022-03-15T16:10:18,236][INFO ][logstash.runner          ] Logstash shut down.
[2022-03-15T16:10:18,241][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby.jar:?]
        at C_3a_.logstash_minus_8_dot_1_dot_0.lib.bootstrap.environment.<main>(C:\logstash-8.1.0\lib\bootstrap\environment.rb:94) ~[?:?]

Change that to if [message] =~ "^\{.*\}[\s\S]*$" {

1 Like

thank you :smiley:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.