Logstash wildcards / regex not working

guyboertje · January 16, 2019, 12:55pm

FYI. You can dynamically change targeted logging sub-systems via the LS API...

The [logging API](https://www.elastic.co/guide/en/logstash/6.4/logging.html#_logging_apis) allows for different levels of logging for different components in LS.

First do `curl -XGET 'localhost:9600/_node/logging?pretty'`
You see something like this:

{
  "host" : "Elastics-MacBook-Pro.local",
  "version" : "6.4.0",
  "http_address" : "127.0.0.1:9600",
  "id" : "8789409b-7126-4034-9347-de47e6ce12a9",
  "name" : "Elastics-MacBook-Pro.local",
  "loggers" : {
    "filewatch.discoverer" : "DEBUG",
    "filewatch.observingtail" : "DEBUG",
    "filewatch.sincedbcollection" : "DEBUG",
    "filewatch.tailmode.handlers.createinitial" : "DEBUG",
    "filewatch.tailmode.processor" : "DEBUG",
    "logstash.agent" : "DEBUG",
    "logstash.api.service" : "DEBUG",
    "logstash.codecs.json" : "DEBUG",
    ...
    "logstash.filters.date" : "DEBUG",
    "logstash.inputs.file" : "DEBUG",
    ...
    "logstash.outputs.stdout" : "DEBUG",
    "logstash.pipeline" : "DEBUG",
    ...
    "slowlog.logstash.codecs.json" : "TRACE",
    "slowlog.logstash.codecs.rubydebug" : "TRACE",
    "slowlog.logstash.filters.date" : "TRACE",
    "slowlog.logstash.inputs.file" : "TRACE",
    "slowlog.logstash.outputs.stdout" : "TRACE"
  }
}

The ones we will need to change are prefixed with filewatch
1. `filewatch.discoverer`, finds and feeds new files into the processing, discovered files become watched-files in the ignore state or the watched state.
2. `filewatch.observingtail`, acts as the callback path to the input and the queue
3. `filewatch.sincedbcollection`, manages the entries in the sincedb collection that persists to the sincedb file.
4. `filewatch.tailmode.handlers.createinitial`, handles reading from a file.
5. `filewatch.tailmode.processor`, manages the 'state' of a watched-file and detects deletions, rotations an  d if possible, tracks an inode through various renames.

There are a number of other handlers `grow`, `shrink` that handle a watched-file that has been seen to grow or shrink (truncated) since it was last (fully) read.

Using the API
Turn trace on:

curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
    "logger.filewatch.discoverer" : "TRACE"
}
'

Turn trace off:

curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
    "logger.filewatch.discoverer" : "WARN"
}
'

Or

curl -XPUT 'localhost:9600/_node/logging/reset?pretty'

NOTE: it might be a good idea to start LS with logging set to WARN in the logstash.yml so other logging is less verbose.

Topic		Replies	Views
Logstash input-> file-> path…wildcard * not working Logstash	6	4744	October 18, 2018
Input file path wildcard is not working Logstash	4	378	August 18, 2020
Logstash wildcards in input file path not processing files Logstash	7	1284	September 10, 2019
Logstash input-> file-> path...Why the wildcard * doesn't work? Logstash	2	1580	May 30, 2018
Logstash Wildcard does not seem to be working? Logstash	7	1614	July 6, 2017

Logstash wildcards / regex not working

Related topics