# /usr/share/logstash/bin/logstash -e
output {
stdout {}
}
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
ERROR: No configuration file was specified. Perhaps you forgot to provide the '-f yourlogstash.conf' flag?
usage:
bin/logstash -f CONFIG_PATH [-t] [-r] [] [-w COUNT] [-l LOG]
bin/logstash -e CONFIG_STR [-t] [--log.level fatal|error|warn|info|debug|trace] [-w COUNT] [-l LOG]
bin/logstash -i SHELL [--log.level fatal|error|warn|info|debug|trace]
bin/logstash -V [--log.level fatal|error|warn|info|debug|trace]
bin/logstash --help
and yet
# ls -la /etc/logstash
total 32
drwxrwxr-x 3 root root 4096 Mar 10 23:45 ./
drwxr-xr-x 107 root root 4096 Mar 11 00:27 ../
drwxrwxr-x 2 root root 4096 Mar 10 23:55 conf.d/
-rw-rw-r-- 1 root root 1738 Feb 24 17:41 jvm.options
-rw-rw-r-- 1 root root 1334 Feb 24 17:41 log4j2.properties
-rw-rw-r-- 1 root root 4487 Mar 10 23:45 logstash.yml
-rw-rw-r-- 1 root root 1659 Feb 24 17:41 startup.options
If you installed via APT/DEB package, then you probably need to add --path.settings /etc/logstash
This is because the -e flag does some funny stuff under the hood. Beware of 3rd party configuration examples. Otherwise, try putting your test configuration in an actual configuration file and use the -f flag.
[2017-03-12T05:03:27,411][ERROR][logstash.filters.geoip ] IP Field contained invalid IP address or hostname {:exception=>java.net.UnknownHostException: -, :field=>"id.resp_h", :event=>2017-03-12T05:03:19.225Z bro0.dfw.rg.net 1489294999.225140 - - - - - unknown_protocol_112 - Fworker-0}
do i also need to tell it where the filters are in /etc/logstash/conf.d/?
indeed, i used apt. so is it safe to presume that the logstash started by systemdeath does not need this parameterization if i used all the default locations?
I can't see the GeoIP filter in your configuration. But it is clear that bro0.dfw.rg.net does not resolve to an IP that the GeoIP plugin recognizes. That seems to be what the message says.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.