Logstash won't initialize (Security Onion)

Elastic Stack Logstash
1

Hi there

Logstash on my storage node is in a WARN state, but I dont know why. sudo so-status output is below.

Additional information:
- installation from Security Onion 16.04.5.6 ISO image
- Distributed deployment (Master, Storage, Forwarder)

sudo so-status
so-autossh is running:
21796 /usr/lib/autossh/autossh -M 0 -q -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -o ExitOnForwardFailure yes -i /root/.ssh/securityonion -R 172.18.0.1:50000:localhost:9300 -L 172.18.0.1:6379:localhost:6379 nodestorage@idsecop03.uzh.ch
Status: HIDS

  • ossec_agent (sguil) [ OK ]
    Status: Elastic stack
  • so-elasticsearch [ OK ]
    parse error: Invalid numeric literal at line 1, column 10
  • so-logstash -- Logstash has started, but is still initializing.[ WARN ]
  • so-curator [ OK ]

sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69c3871d520b securityonionsolutions/so-curator "/bin/bash" 10 minutes ago Up 10 minutes so-curator
fe7c48fa4894 securityonionsolutions/so-logstash "/usr/local/bin/dock…" 10 minutes ago Up 10 minutes 0.0.0.0:5044->5044/tcp, 0.0.0.0:6050-6053->6050-6053/tcp, 0.0.0.0:9600->9600/tcp so-logstash
10da039605e8 securityonionsolutions/so-elasticsearch "/bin/bash bin/es-do…" 10 minutes ago Up 10 minutes 127.0.0.1:9200->9200/tcp, 127.0.0.1:9300->9300/tcp so-elasticsearch

Elasticsearch log:
[2019-03-18T08:34:25,660][WARN ][org.elasticsearch.monitor.jvm.JvmGcMonitorService] [gc][550] overhead, spent [579ms] collecting in the last [1.1s]

sudo sostat | less
so-curator

(eth1)
veth8b41720 Link encap:Ethernet HWaddr ea:10:f2:55:a3:45
inet6 addr: fe80::e810:f2ff:fe55:a345/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2241 errors:0 dropped:0 overruns:0 frame:0
TX packets:2246 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:230866 (230.8 KB) TX bytes:29560886 (29.5 MB)
:parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
parse error: Invalid numeric literal at line 1, column 10
/usr/sbin/sostat: line 488: / : syntax error: operand expected (error token is "/ ")
/usr/sbin/sostat: line 504: /106: syntax error: operand expected (error token is "/106")

Any idea how to solve this issue?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.