Logstash tcp input doesn't work

Elastic Stack Logstash
1

Hi,

I'm using logstash docker like below, but always say "Pipeline has terminated". What's the problem?

docker run --name logstash -d
-p 4560:4560
-p 4561:4561
--link elasticsearch:elasticsearch
-v /opt/logstash:/usr/share/logstash/pipeline
-v /opt/logstash/pipelines.yml:/usr/share/logstash/config/pipelines.yml
docker.elastic.co/logstash/logstash:6.3.2

/opt/logstash/app.conf

input {
tcp {
port => 4560
codec => json
type => "simple"
}
udp {
port => 4560
codec => json
type => "simple"
}
log4j {
port => 4561
codec => json
type => "simple"
}
}

output {
if [type] == "simple" {
elasticsearch {
hosts => ["elasticsearch:9200"]
}
}
}

logstash-log

[2018-07-30T09:04:14,234][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
[2018-07-30T09:04:14,246][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
[2018-07-30T09:04:14,471][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
[2018-07-30T09:04:14,555][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-07-30T09:04:14,560][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-07-30T09:04:14,595][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://elasticsearch:9200"]}
[2018-07-30T09:04:14,761][INFO ][logstash.licensechecker.licensereader] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
[2018-07-30T09:04:14,762][INFO ][logstash.licensechecker.licensereader] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
[2018-07-30T09:04:14,769][WARN ][logstash.licensechecker.licensereader] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
[2018-07-30T09:04:14,776][INFO ][logstash.licensechecker.licensereader] ES Output version determined {:es_version=>6}
[2018-07-30T09:04:14,780][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-07-30T09:04:14,941][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x7ae3f6b1 run>"}
[2018-07-30T09:04:15,077][INFO ][logstash.inputs.metrics ] Monitoring License OK
[2018-07-30T09:04:15,404][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-07-30T09:04:21,609][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x7ae3f6b1 run>"}

2

If the monitoring pipeline is the only pipeline running then logstash will shut itself down. My guess is that it has found a pipelines.yml that does not define any pipelines. I would run it with log.level: debug and see what configuration it is using.

3

It's worked like below.

/opt/logstash/app.conf

input {
tcp {
port => 4560
}
}

output {
elasticsearch {
hosts => ["elasticsearch:9200"]
}
}
}

4

Set log.level: debug and check whether it is using that configuration. It probably is not.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.