Hi,
I am trying to understand how it is that my logstash instance is writing logs to /var/log/syslog.
I have debug open and it fills up my 40gb hard drive within hours.
I checked that the contents of /etc/rsyslog.d/50-default.conf and /etc/rsyslog.conf are the same as other servers, and i can't for the life of me understand how to prevent this.
Logs are in the format:
Feb 7 12:50:43 eq-svc06 logstash[12597]: [2019-02-07T12:50:43,088][DEBUG][org.logstash.beats.BeatsHandler] [local: 192.168.100.46:5044, remote: 192.168.100.198:51814] Sending a new message for the listener, sequence: 6
I have only one output open which is elasticsearch (same box). Just to confirm:
root@eq-svc06:~# grep -r "output" /etc/logstash/
/etc/logstash/logstash.yml:# Set the number of workers that will, in parallel, execute the filters+outputs
/etc/logstash/logstash.yml:# before dispatching an undersized batch to filters+outputs
/etc/logstash/logstash.yml:# received events have been pushed to the outputs.
/etc/logstash/logstash.yml.dpkg-dist:# Set the number of workers that will, in parallel, execute the filters+outputs
/etc/logstash/logstash.yml.dpkg-dist:# before dispatching an undersized batch to filters+outputs
/etc/logstash/logstash.yml.dpkg-dist:# received events have been pushed to the outputs.
/etc/logstash/logstash-sample.conf:output {
/etc/logstash/cert/custom_openssl.cnf:# output_password = secret
/etc/logstash/conf.d/output_beats.conf:output {
root@eq-svc06:~# grep -r "syslog" /etc/logstash/
/etc/logstash/conf.d/filter_system.conf: } else if [fileset][name] == "syslog" {
/etc/logstash/conf.d/filter_system.conf: id => "system_syslog"
/etc/logstash/conf.d/filter_system.conf: "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:[%{POSINT:[system][syslog][pid]}])?: %{GREEDYMULTILINE:[system][syslog][message]}"]
/etc/logstash/conf.d/filter_system.conf: match => ["[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
/etc/logstash/conf.d/filter_system.conf: "category" => "system_syslog"