we are running logstash and its output has file and elasticsearch for every opening and closing the file plugin is logging in... resulting the nohup.out file being very huge...
How do i avoid so much of logging, or is there a way better way to handle this?
You could change the logging level for the loggers involved (the logger name is show in the log message). For example, to increase the volume of log messages from a file output I use
curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
"logger.filewatch.discoverer" : "TRACE",
"logger.filewatch.observingtail" : "TRACE",
"logger.filewatch.sincedbcollection" : "TRACE",
"logger.filewatch.tailmode.handlers.createinitial" : "TRACE",
"logger.filewatch.tailmode.handlers.grow" : "TRACE",
"logger.filewatch.tailmode.processor" : "TRACE"
}
'
You could change the default (INFO) level to WARN in a similar way.
Thanks. Any possibility i can set this at the properties, instead of a curl? as our logstash gets run every now and then and by different people. So aligning this everytime the logstash starts may be difficult.
Yes, you should be able to modify the log4j2.properties file to set these.
I tried adding
logger.logstash.file.outputs = WARN
and
"logger.filewatch.discoverer" : "TRACE",
"logger.filewatch.observingtail" : "TRACE",
"logger.filewatch.sincedbcollection" : "TRACE",
"logger.filewatch.tailmode.handlers.createinitial" : "TRACE",
"logger.filewatch.tailmode.handlers.grow" : "TRACE",
"logger.filewatch.tailmode.processor" : "TRACE"
But both giving me error by either saying logstash file output is not valid or filewatch module not found.
To modify the level for all of the filewatch classes you could use
logger.filewatch.name = filewatch
logger.filewatch.level = WARN
If you wanted to modify some sub-classes but not others you could use something like
logger.logstash1.name = logstash.runner
logger.logstash1.level = WARN
logger.logstash2.name = logstash.pipeline
logger.logstash2.level = WARN
which does not modify logstash.javapipeline, logstash.setting, etc.
Thanks for the reponse.
Even after trying both I am still seeing those logs
Sample Log (the one i need to get rid of)
[2021-07-01T19:28:45,203][INFO ][logstash.outputs.file ][main][4e6acc3dcf51fc251f2e81c7fe7f576133e96a5af8f803fa5d198ccbec9f5a00] Opening file {:path=>"/Users/Smit/Downloads/trash/log.txt"}
Properties I tried:
logger.filewatch.name = filewatch
logger.filewatch.level = WARN
another
logger.logstash1.name = logstash.outputs.file
logger.logstash1.level = WARN
Sample Logstash Conf:
input {
stdin{}
}
output {
file {
path => "/Users/Smit/Downloads/trash/log.txt"
codec => line { format => "custom format: %{message}"}
}
}
I do not know what to say. When I add
logger.logstash1.name = logstash.outputs.file
logger.logstash1.level = WARN
to /etc/logstash/log4j2.properties and restart logstash the message
[INFO ][logstash.outputs.file ][main][98cb9fbcc7c0b63c6dfb54eee928e0944a186fb8cd23c2f926042405b89ccd1f] Opening file {:path=>"/tmp/foo.txt"}
is not printed.
Thanks.
The problem is I was updating the log4j in the config folder but i was not setting that in the --path.settings. After doing that, it worked.
--path.settings=/Users/Smit/Documents/Dev/ELK/logstash-7.10.0/config/
or
export LS_SETTINGS_DIR=/Users/Smit/Documents/Dev/ELK/logstash-7.10.0/config/
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.