Logstash when started using nohup, it is logging too much resulting in huge size

we are running logstash and its output has file and elasticsearch for every opening and closing the file plugin is logging in... resulting the nohup.out file being very huge...

How do i avoid so much of logging, or is there a way better way to handle this?

You could change the logging level for the loggers involved (the logger name is show in the log message). For example, to increase the volume of log messages from a file output I use

curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
    "logger.filewatch.discoverer" : "TRACE",
    "logger.filewatch.observingtail" : "TRACE",
    "logger.filewatch.sincedbcollection" : "TRACE",
    "logger.filewatch.tailmode.handlers.createinitial" : "TRACE",
    "logger.filewatch.tailmode.handlers.grow" : "TRACE",
    "logger.filewatch.tailmode.processor" : "TRACE"
}
'

You could change the default (INFO) level to WARN in a similar way.

1 Like

Thanks. Any possibility i can set this at the properties, instead of a curl? as our logstash gets run every now and then and by different people. So aligning this everytime the logstash starts may be difficult.

Yes, you should be able to modify the log4j2.properties file to set these.

I tried adding

logger.logstash.file.outputs = WARN

and

"logger.filewatch.discoverer" : "TRACE",
    "logger.filewatch.observingtail" : "TRACE",
    "logger.filewatch.sincedbcollection" : "TRACE",
    "logger.filewatch.tailmode.handlers.createinitial" : "TRACE",
    "logger.filewatch.tailmode.handlers.grow" : "TRACE",
    "logger.filewatch.tailmode.processor" : "TRACE"

But both giving me error by either saying logstash file output is not valid or filewatch module not found.

To modify the level for all of the filewatch classes you could use

logger.filewatch.name = filewatch
logger.filewatch.level = WARN

If you wanted to modify some sub-classes but not others you could use something like

logger.logstash1.name = logstash.runner
logger.logstash1.level = WARN
logger.logstash2.name = logstash.pipeline
logger.logstash2.level = WARN

which does not modify logstash.javapipeline, logstash.setting, etc.

Thanks for the reponse.

Even after trying both I am still seeing those logs

Sample Log (the one i need to get rid of)

[2021-07-01T19:28:45,203][INFO ][logstash.outputs.file    ][main][4e6acc3dcf51fc251f2e81c7fe7f576133e96a5af8f803fa5d198ccbec9f5a00] Opening file {:path=>"/Users/Smit/Downloads/trash/log.txt"}

Properties I tried:

logger.filewatch.name = filewatch
logger.filewatch.level = WARN

another

logger.logstash1.name = logstash.outputs.file
logger.logstash1.level = WARN

Sample Logstash Conf:

input {
  stdin{}
}

output {
  file {
   path => "/Users/Smit/Downloads/trash/log.txt"
   codec => line { format => "custom format: %{message}"}
 }
}

I do not know what to say. When I add

logger.logstash1.name = logstash.outputs.file
logger.logstash1.level = WARN

to /etc/logstash/log4j2.properties and restart logstash the message

[INFO ][logstash.outputs.file ][main][98cb9fbcc7c0b63c6dfb54eee928e0944a186fb8cd23c2f926042405b89ccd1f] Opening file {:path=>"/tmp/foo.txt"}

is not printed.

Thanks.

The problem is I was updating the log4j in the config folder but i was not setting that in the --path.settings. After doing that, it worked.

--path.settings=/Users/Smit/Documents/Dev/ELK/logstash-7.10.0/config/

or

export LS_SETTINGS_DIR=/Users/Smit/Documents/Dev/ELK/logstash-7.10.0/config/

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.