Losgtash running but there is no output

marouane · December 20, 2017, 9:40am

Hello ,
i have an issue concerning logstash
this is the log that i have,

  Settings: Default pipeline workers: 4
  Pipeline main started

my logstash log file

input {
http {
type => "test_http"
host => "0.0.0.0" # default: 0.0.0.0
port => 9200 # default: 8080
}

file {
type => "apache_access"
path => ["/var/log/remote/apache2//access.log"]
stat_interval => 2
start_position => "beginning"
}
file {
type => "visu_access"
path => ["/var/log/remote/visu-stat//stat.log"]
stat_interval => 2
start_position => "beginning"
}
file {
type => "visu_stat"
path => ["/var/log/remote/visu-stat/**/player.log"]
stat_interval => 2
start_position => "beginning"
}
}
filter {
if [type] == "test_http" {
grok {
match => { "message" => "%{GREEDYDATA:all}" }
}
}
else if [type] == "apache_access" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:day} %{GREEDYDATA:server_name} %
{GREEDYDATA:apache} %{IPORHOST:vhost}:%{NUMBER:vhost_port} %{COMBINEDAPACHELOG}" }
}
mutate {
remove_field =>["day","apache"]
}
}
 else if [type] == "visu_access" {
grok {
match => {"message" =>"%{GREEDYDATA:timestamp} %{IP:ip} %{GREEDYDATA:apache}]: %
{GREEDYDATA:data}" }
}
ruby {
code => "
fields = event['data'].split(';;')
event['coutry_code'] = fields[fields.size-2]
event['video_type'] = fields[fields.size-1]
event['mail'] = fields[0]
event['client'] = fields[1]
event['user_ip'] = fields[2]
event['user_id'] = fields[3]
event['user_agent'] = fields[4]
event['video'] = fields[5]
event['tmp'] = fields[6]
event['is_newuser'] = fields[7]
event['referer'] = fields[8]
event['smil'] = fields[9]
event['smil_path'] = fields[10]
"
}
}
if [type] == "visu_stat" {
grok {
match => [ "message", "%{DATE:date} %{TIME:time} %{DATA:timezone} %{GREEDYDATA:inputFields}"]
}
mutate {
split => ["inputFields", " "]
add_field => {"x_event" => "%{inputFields[0]}"}
add_field => {"x_category" => "%{inputFields[1]}"}
add_field => {"x_severity" => "%{inputFields[2]}"}
add_field => {"x_status" => "%{inputFields[3]}"}
add_field => {"x_ctx" => "%{inputFields[4]}"}
add_field => {"x_comment" => "%{inputFields[5]}"}
add_field => {"x_vhost" => "%{inputFields[6]}"}
add_field => {"x_app" => "%{inputFields[7]}"}
add_field => {"x_appinst" => "%{inputFields[8]}"}
add_field => {"duration" => "%{inputFields[9]}"}
add_field => {"s_ip" => "%{inputFields[10]}"}
add_field => {"s_port" => "%{inputFields[11]}"}
add_field => {"s_uri" => "%{inputFields[12]}"}
add_field => {"c_ip" => "%{inputFields[13]}"}
add_field => {"c_proto" => "%{inputFields[14]}"}
add_field => {"c_referrer" => "%{inputFields[15]}"}
add_field => {"agent" => "%{inputFields[16]}"}
add_field => {"c_client_id" => "%{inputFields[17]}"}
add_field => {"cs_bytes" => "%{inputFields[18]}"}
add_field => {"vsc_bytes" => "%{inputFields[19]}"}
add_field => {"x_stream_id" => "%{inputFields[20]}"}
add_field => {"x_spos" => "%{inputFields[21]}"}
add_field => {"cs_stream_bytes" => "%{inputFields[22]}"}
add_field => {"sc_stream_bytes" => "%{inputFields[23]}"}
add_field => {"x_sname" => "%{inputFields[24]}"}
add_field => {"x_sname_query" => "%{inputFields[25]}"}
add_field => {"x_file_name" => "%{inputFields[26]}"}
add_field => {"x_file_ext" => "%{inputFields[27]}"}
add_field => {"x_file_size" => "%{inputFields[28]}"}
add_field => {"x_file_length" => "%{inputFields[29]}"}
add_field => {"x_suri" => "%{inputFields[30]}"}
add_field => {"x_suri_stem" => "%{inputFields[31]}"}
add_field => {"x_suri_query" => "%{inputFields[32]}"}
add_field => {"cs_uri_stem" => "%{inputFields[33]}"}
add_field => {"cs_uri_query" => "%{inputFields[34]}"}
 remove_field => ["inputFields","date","time","timezone","logtime"]
}
grok {
match => { "c_referrer" => "%{URIPROTO}://%{URIHOST:url}" }
}
 if ![url] {
mutate {
replace => { "url" => "%{c_referrer}" }
}
}
 mutate {
split => ["cannaux", ","]
}
mutate {
split => ["themes", ","]
}
grok {
match => { "duration" => "%{NUMBER:x_duration:int}" }
}
date {
match => [ "fulltime","YY-MM-dd HH:mm:ss"]
 target => "playtime"
 }
useragent {
source => "agent"
target => "c_user_agent"
remove_field => ["agent"]
}
mutate {
remove_field => ["duration","logdate","fulltime"]
}
if [s_ip] and [s_ip] !~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|
(^169.254.)" {
geoip {
source => "s_ip"
target => "s_geoip"
database => "/config-dir/GeoLite2-City.mmdb"
 add_field => [ "[s_geoip][coordinates]", "%{[s_geoip][longitude]}" ]
add_field => [ "[s_geoip][coordinates]", "%{[s_geoip][latitude]}" ]
 }
mutate {
convert => [ "[s_geoip][coordinates]", "float"]
}
}
if [c_ip] and [c_ip] !~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|
(^169.254.)" {
geoip {
source => "c_ip"
target => "c_geoip"
database => "/config-dir/GeoLite2-City.mmdb"
add_field => [ "[c_geoip][coordinates]", "%{[c_geoip][longitude]}" ]
add_field => [ "[c_geoip][coordinates]", "%{[c_geoip][latitude]}" ]
}
mutate {
convert => [ "[c_geoip][coordinates]", "float"]
}
}
grok {
match => { "c_ip" => "%{IP:c_zone_ip}" }
}
}
}
output {
if [type] == "apache_access" {
elasticsearch {
hosts => ["elasticsearch:9200"]
}
}
else if [type] == "visu_access" {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "visu-access-"
}
}
else if [type] == "visu_stat" {
elasticsearch {
codec => json {}
hosts => ["elasticsearch:9200"]
index => "visu-player"
}
}
 else if [type] == "test_http" {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "test-http-"
}
}
}

magnusbaeck · December 20, 2017, 11:26am

Use only a stdout { codec => rubydebug } output until you've verified that your inputs work correctly. Have you tried posting anything to port 9200 to see if the http input works? Regarding the file inputs do read up on sincedb in the file input documentation and search the archives of this site for more information.

marouane · December 20, 2017, 12:54pm

Thank you for your reponse,
I do not understand you very much , but i will use only

 stdout { codec => rubydebug }

because i have the conf file all ready prepared , i just use it

marouane · December 20, 2017, 1:13pm

I changed this part :

output {
 if [type] == "apache_access" {
 elasticsearch {
    hosts => ["elasticsearch:9200"]
  }
}
else if [type] == "visu_access" { 
 elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "visu-access-"
  }
}
else if [type] == "visu_stat" {
 elasticsearch {
    codec => json {}
    hosts => ["elasticsearch:9200"]
    index => "visu-player"
 }

}
else if [type] == "test_http" {
 elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "test-http-"
  }
}

}

to be like this :

output {
 stdout { codec => rubydebug }
}

It the same result

system · January 17, 2018, 1:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not showing out put again Logstash	13	6063	July 6, 2017
Nothing outputting at all Logstash	2	389	June 19, 2017
Logstash not showing any output Logstash	5	3597	March 23, 2018
Need help on syslog logstash input plugin Logstash	18	1162	November 21, 2022
Logstash dont send to output Logstash	16	1430	June 18, 2020

Losgtash running but there is no output

Related Topics