Before you start Logstash in production, test your configuration file . If you run Logstash from the command line, you can specify parameters that will verify your configuration for you. This will run through your configuration , verify the configuration syntax, and then exit
The logstash configuration file looks correct at this stage, and I get no error when running it manually.
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.headius.backport9.modules.Modules (file:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.2.9.0.jar) to method sun.nio.ch.NativeThread.signal(long)
WARNING: Please consider reporting this to the maintainers of com.headius.backport9.modules.Modules
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2020-03-17T09:15:11,373][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-03-17T09:15:11,620][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.6.1"}
[2020-03-17T09:15:14,861][INFO ][org.reflections.Reflections] Reflections took 67 ms to scan 1 urls, producing 20 keys and 40 values
[2020-03-17T09:15:16,777][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2020-03-17T09:15:17,123][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2020-03-17T09:15:17,257][INFO ][logstash.outputs.elasticsearch][main] ES Output version determined {:es_version=>7}
[2020-03-17T09:15:17,263][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2020-03-17T09:15:17,381][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2020-03-17T09:15:17,465][INFO ][logstash.filters.geoip ][main] Using geoip database {:path=>"/opt/logstash/vendor/geoip/GeoLite2-City.mmdb"}
[2020-03-17T09:15:17,468][INFO ][logstash.outputs.elasticsearch][main] Using default mapping template
[2020-03-17T09:15:17,650][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1, "index.lifecycle.name"=>"logstash-policy", "index.lifecycle.rollover_alias"=>"logstash"}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[2020-03-17T09:15:17,749][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been create for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[2020-03-17T09:15:17,755][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/logstash-cowrie.conf"], :thread=>"#<Thread:0x116ac182 run>"}
[2020-03-17T09:15:19,601][INFO ][logstash.inputs.beats ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2020-03-17T09:15:19,616][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-03-17T09:15:19,746][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-03-17T09:15:19,895][INFO ][org.logstash.beats.Server][main] Starting server on port: 5044
[2020-03-17T09:15:20,287][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
I even see my events being processed. But I don't get anything on Kibana
Mar 17 09:20:08 instance-39 logstash[10685]: "log" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "file" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "path" => "/home/user/cowrie/var/log/cowrie/cowrie.json"
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "offset" => 3407571
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "session" => "21831af1e664",
Mar 17 09:20:08 instance-39 logstash[10685]: "hassh" => "d7f0b97eb79d6533c492545cc6a207e1",
Mar 17 09:20:08 instance-39 logstash[10685]: "encCS" => [
Mar 17 09:20:08 instance-39 logstash[10685]: [0] "aes256-ctr",
Mar 17 09:20:08 instance-39 logstash[10685]: [1] "aes192-ctr",
Mar 17 09:20:08 instance-39 logstash[10685]: [2] "aes128-ctr",
Mar 17 09:20:08 instance-39 logstash[10685]: [3] "aes256-cbc",
Mar 17 09:20:08 instance-39 logstash[10685]: [4] "aes192-cbc",
Mar 17 09:20:08 instance-39 logstash[10685]: [5] "aes128-cbc",
Mar 17 09:20:08 instance-39 logstash[10685]: [6] "blowfish-cbc",
Mar 17 09:20:08 instance-39 logstash[10685]: [7] "3des-cbc"
Mar 17 09:20:08 instance-39 logstash[10685]: ],
Mar 17 09:20:08 instance-39 logstash[10685]: "keyAlgs" => [
Mar 17 09:20:08 instance-39 logstash[10685]: [0] "ssh-ed25519",
Mar 17 09:20:08 instance-39 logstash[10685]: [1] "ecdsa-sha2-nistp256",
Mar 17 09:20:08 instance-39 logstash[10685]: [2] "ecdsa-sha2-nistp384",
Mar 17 09:20:08 instance-39 logstash[10685]: [3] "ecdsa-sha2-nistp521",
Mar 17 09:20:08 instance-39 logstash[10685]: [4] "ssh-rsa",
Mar 17 09:20:08 instance-39 logstash[10685]: [5] "ssh-dss"
Mar 17 09:20:08 instance-39 logstash[10685]: ],
Mar 17 09:20:08 instance-39 logstash[10685]: "langCS" => [
Mar 17 09:20:08 instance-39 logstash[10685]: [0] ""
Mar 17 09:20:08 instance-39 logstash[10685]: ],
Mar 17 09:20:08 instance-39 logstash[10685]: "type" => "cowrie",
Mar 17 09:20:08 instance-39 logstash[10685]: "src_ip" => "XXXXX",
Mar 17 09:20:08 instance-39 logstash[10685]: "macCS" => [
Mar 17 09:20:08 instance-39 logstash[10685]: [0] "hmac-sha2-256",
Mar 17 09:20:08 instance-39 logstash[10685]: [1] "hmac-sha2-512",
Mar 17 09:20:08 instance-39 logstash[10685]: [2] "hmac-sha1"
Mar 17 09:20:08 instance-39 logstash[10685]: ],
Mar 17 09:20:08 instance-39 logstash[10685]: "ecs" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "version" => "1.4.0"
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "@version" => "1",
Mar 17 09:20:08 instance-39 logstash[10685]: "host" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "name" => "instance-39"
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "kexAlgs" => [
Mar 17 09:20:08 instance-39 logstash[10685]: [0] "curve25519-sha256",
Mar 17 09:20:08 instance-39 logstash[10685]: [1] "curve25519-sha256@libssh.org",
Mar 17 09:20:08 instance-39 logstash[10685]: [2] "ecdh-sha2-nistp256",
Mar 17 09:20:08 instance-39 logstash[10685]: [3] "ecdh-sha2-nistp384",
Mar 17 09:20:08 instance-39 logstash[10685]: [4] "ecdh-sha2-nistp521",
Mar 17 09:20:08 instance-39 logstash[10685]: [5] "diffie-hellman-group14-sha1",
Mar 17 09:20:08 instance-39 logstash[10685]: [6] "diffie-hellman-group1-sha1"
Mar 17 09:20:08 instance-39 logstash[10685]: ],
Mar 17 09:20:08 instance-39 logstash[10685]: "timestamp" => "2020-03-17T08:55:57.561664Z",
Mar 17 09:20:08 instance-39 logstash[10685]: "geoip" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "city_name" => "Shanghai",
Mar 17 09:20:08 instance-39 logstash[10685]: "timezone" => "Asia/Shanghai",
Mar 17 09:20:08 instance-39 logstash[10685]: "latitude" => 31.0449,
Mar 17 09:20:08 instance-39 logstash[10685]: "ip" => "XXXXXXXXXXX",
Mar 17 09:20:08 instance-39 logstash[10685]: "country_name" => "China",
Mar 17 09:20:08 instance-39 logstash[10685]: "country_code2" => "CN",
Mar 17 09:20:08 instance-39 logstash[10685]: "continent_code" => "AS",
Mar 17 09:20:08 instance-39 logstash[10685]: "country_code3" => "CN",
Mar 17 09:20:08 instance-39 logstash[10685]: "region_name" => "Shanghai",
Mar 17 09:20:08 instance-39 logstash[10685]: "location" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "lon" => 121.4012,
Mar 17 09:20:08 instance-39 logstash[10685]: "lat" => 31.0449
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "region_code" => "SH",
Mar 17 09:20:08 instance-39 logstash[10685]: "longitude" => 121.4012
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:08 instance-39 logstash[10685]: "@metadata" => {
Mar 17 09:20:08 instance-39 logstash[10685]: "ip_address" => "0:0:0:0:0:0:0:1",
Mar 17 09:20:08 instance-39 logstash[10685]: "beat" => "filebeat",
Mar 17 09:20:08 instance-39 logstash[10685]: "type" => "_doc",
Mar 17 09:20:08 instance-39 logstash[10685]: "version" => "7.6.1"
Mar 17 09:20:08 instance-39 logstash[10685]: },
Mar 17 09:20:38 instance-39 systemd-journald[234]: Suppressed 17354 messages from logstash.service
Mar 17 09:20:38 instance-39 logstash[10685]: [2020-03-17T09:20:38,266][INFO ][logstash.outputs.file ][main] Closing file /tmp/cowrie-logstash.json