New to ELK Stack, Logstash Will Not Start - Please Help

NJMitchell · December 9, 2020, 6:38pm

Hello elastic community,

I'm very new to the ELK stack and am working on getting a production environment up and running. So far I have a four node Elasticsearch cluster running with Kibana. Everything there is working but I cannot get Logstash to start. I have been searching through documentation at elastic.co and here in the forums.

If I messed up anything in this post with posting code, please let me know.

This is all in a virtual servers environment on several Windows Server 2019 VMs.
I'm running Java JDK 14.

Here is where I am at with logstash:
I cannot get Logstash to start with nssm.exe/ Windows Services NO MATTER WHAT.
I cannot get Logstash to start with argument -f path/to/logstash.yml from CLI
I can get Logstash to start with argument -f path/to/logstash.conf from CLI
I can get Logstash to start with no argument from CLI

From the command line I get the following errors at the end when using the -f path/to/logstash.yml argument:

[FATAL] 2020-12-09 11:16:22.596 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 1, column 1 (byte 1)
[ERROR] 2020-12-09 11:16:22.779 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

I'm sure my issue is with my logstash.yml but I'm not sure what the problem is. All help is greatly appreciated.

Here is all the info about the code and errors:

NSSM
Version: 2.24-101-g897c7ad 64bit, 2017-04-26

NSSM service editor
Application Tab

Path: C:\ProgramData\ELKStask\logstash-7.9.2\bin\logstash.bat
Startup directory: C:\ProgramData\ELKStask\logstash-7.9.2\bin\
Arguments: -f C:\ProgramData\ELKstack\logstash-7.9.2\config\logstash.yml

Error message when trying to start the Logstash services in Windows Services:

Services
Windows could not start the Logstash 7.9.2 Windows service
(logstash-services-x64) service on Local Computer.
The service did not return an error. This could be an Internal
Windows error or an internal service error.
If the problem persists, contact your system administrator.

After I click "OK" on the error the service status goes to the "Paused" state and Logstash is not started.

Here are my configs:

Logstash.yml
Note: config.debug and log.level debug are on for testing right now. Those will be removed once everything is working.

path.config: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
node.name: NODE.NAME
path.data: G:\data
config.debug: true
log.level: debug
path.logs: G:\logs
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "PASSWORD"
xpack.monitoring.elasticsearch.hosts: ['https://SERVER.NAME.COM:9200']
xpack.monitoring.elasticsearch.ssl.certificate_authority: C:\ProgramData\ElkStack\logstash-7.9.2\config\elastic-stack-ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: none

Logstash.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.crt"
    ssl_key => "C:\ProgramData\Elkstack\logstash-7.9.2\config\logstash.pkcs8.key"
  }
}

output {
  elasticsearch {
    hosts => "https://SERVER.NAME.COM:9200"
    ssl => true
    cacert => "C:\ProgramData\ELKStack\logstash-7.9.2\config\elastic-stack-ca.crt"
    ssl_certificate_verification => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}"
    user => "elastic"
    password => "PASSWORD"
  }
}

Command Line Error in next commit.

NJMitchell · December 9, 2020, 6:40pm

Here is my CLI output:

C:\ProgramData\ELKStack\logstash-7.9.2\bin>logstash.bat -f C:\ProgramData\ElkStack\logstash-7.9.2\config\logstash.yml -t
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option UseConcMarkSweepGC; support was removed in 14.0
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option CMSInitiatingOccupancyFraction; support was removed in 14.0
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option UseCMSInitiatingOccupancyOnly; support was removed in 14.0
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.jruby.ext.openssl.SecurityHelper (file:/C:/Users/NAME/AppData/Local/Temp/jruby-2504/jruby633587182251554435jopenssl.jar) to field java.security.MessageDigest.provider
WARNING: Please consider reporting this to the maintainers of org.jruby.ext.openssl.SecurityHelper
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Could not find log4j2 configuration at path /C:/ProgramData/ELKStack/logstash-7.9.2/config/logstash.conf/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2020-12-09 11:16:21.321 [main] runner - Starting Logstash {"logstash.version"=>"7.9.2", "jruby.version"=>"jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc Java HotSpot(TM) 64-Bit Server VM 14.0.2+12-46 on 14.0.2+12-46 +indy +jit [mswin32-x86_64]"}
[DEBUG] 2020-12-09 11:16:21.343 [main] scaffold - Found module {:module_name=>"fb_apache", :directory=>"C:/ProgramData/ELKStack/logstash-7.9.2/modules/fb_apache/configuration"}
[DEBUG] 2020-12-09 11:16:21.346 [main] registry - Adding plugin to the registry {:name=>"fb_apache", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0x155f3dd5 @directory="C:/ProgramData/ELKStack/logstash-7.9.2/modules/fb_apache/configuration", @module_name="fb_apache", @kibana_version_parts=["6", "0", "0"]>}
[DEBUG] 2020-12-09 11:16:21.348 [main] scaffold - Found module {:module_name=>"netflow", :directory=>"C:/ProgramData/ELKStack/logstash-7.9.2/modules/netflow/configuration"}
[DEBUG] 2020-12-09 11:16:21.348 [main] registry - Adding plugin to the registry {:name=>"netflow", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0x4f0ee1eb @directory="C:/ProgramData/ELKStack/logstash-7.9.2/modules/netflow/configuration", @module_name="netflow", @kibana_version_parts=["6", "0", "0"]>}
[DEBUG] 2020-12-09 11:16:21.471 [LogStash::Runner] runner - -------- Logstash Settings (* means modified) ---------
[DEBUG] 2020-12-09 11:16:21.475 [LogStash::Runner] runner - *node.name: "NODE.NAME" (default: "NODE.NAME")
[DEBUG] 2020-12-09 11:16:21.476 [LogStash::Runner] runner - *path.config: "C:\\ProgramData\\ElkStack\\logstash-7.9.2\\config\\logstash.yml"
[DEBUG] 2020-12-09 11:16:21.477 [LogStash::Runner] runner - *path.data: "G:\\data" (default: "C:/ProgramData/ELKStack/logstash-7.9.2/data")
[DEBUG] 2020-12-09 11:16:21.477 [LogStash::Runner] runner - modules.cli: []
[DEBUG] 2020-12-09 11:16:21.477 [LogStash::Runner] runner - modules: []
[DEBUG] 2020-12-09 11:16:21.478 [LogStash::Runner] runner - modules_list: []
[DEBUG] 2020-12-09 11:16:21.478 [LogStash::Runner] runner - modules_variable_list: []
[DEBUG] 2020-12-09 11:16:21.478 [LogStash::Runner] runner - modules_setup: false
[DEBUG] 2020-12-09 11:16:21.478 [LogStash::Runner] runner - *config.test_and_exit: true (default: false)
[DEBUG] 2020-12-09 11:16:21.479 [LogStash::Runner] runner - config.reload.automatic: false
[DEBUG] 2020-12-09 11:16:21.479 [LogStash::Runner] runner - config.reload.interval: #<LogStash::Util::TimeValue:0x4b28e19b @duration=3, @time_unit=:second>
[DEBUG] 2020-12-09 11:16:21.480 [LogStash::Runner] runner - config.support_escapes: false
[DEBUG] 2020-12-09 11:16:21.480 [LogStash::Runner] runner - config.field_reference.parser: "STRICT"
[DEBUG] 2020-12-09 11:16:21.480 [LogStash::Runner] runner - metric.collect: true
[DEBUG] 2020-12-09 11:16:21.480 [LogStash::Runner] runner - pipeline.id: "main"
[DEBUG] 2020-12-09 11:16:21.480 [LogStash::Runner] runner - pipeline.system: false
[DEBUG] 2020-12-09 11:16:21.481 [LogStash::Runner] runner - pipeline.workers: 2
[DEBUG] 2020-12-09 11:16:21.481 [LogStash::Runner] runner - pipeline.batch.size: 125
[DEBUG] 2020-12-09 11:16:21.482 [LogStash::Runner] runner - pipeline.batch.delay: 50
[DEBUG] 2020-12-09 11:16:21.482 [LogStash::Runner] runner - pipeline.unsafe_shutdown: false
[DEBUG] 2020-12-09 11:16:21.482 [LogStash::Runner] runner - pipeline.java_execution: true
[DEBUG] 2020-12-09 11:16:21.482 [LogStash::Runner] runner - pipeline.reloadable: true
[DEBUG] 2020-12-09 11:16:21.482 [LogStash::Runner] runner - pipeline.plugin_classloaders: false
[DEBUG] 2020-12-09 11:16:21.488 [LogStash::Runner] runner - pipeline.separate_logs: false
[DEBUG] 2020-12-09 11:16:21.492 [LogStash::Runner] runner - pipeline.ordered: "auto"
[DEBUG] 2020-12-09 11:16:21.493 [LogStash::Runner] runner - path.plugins: []
[DEBUG] 2020-12-09 11:16:21.494 [LogStash::Runner] runner - *config.debug: true (default: false)
[DEBUG] 2020-12-09 11:16:21.495 [LogStash::Runner] runner - *log.level: "debug" (default: "info")
[DEBUG] 2020-12-09 11:16:21.496 [LogStash::Runner] runner - version: false
[DEBUG] 2020-12-09 11:16:21.497 [LogStash::Runner] runner - help: false
[DEBUG] 2020-12-09 11:16:21.498 [LogStash::Runner] runner - log.format: "plain"
[DEBUG] 2020-12-09 11:16:21.499 [LogStash::Runner] runner - http.enabled: true
[DEBUG] 2020-12-09 11:16:21.504 [LogStash::Runner] runner - http.host: "127.0.0.1"
[DEBUG] 2020-12-09 11:16:21.505 [LogStash::Runner] runner - http.port: 9600..9700
[DEBUG] 2020-12-09 11:16:21.506 [LogStash::Runner] runner - http.environment: "production"
[DEBUG] 2020-12-09 11:16:21.507 [LogStash::Runner] runner - queue.type: "memory"
[DEBUG] 2020-12-09 11:16:21.508 [LogStash::Runner] runner - queue.drain: false
[DEBUG] 2020-12-09 11:16:21.520 [LogStash::Runner] runner - queue.page_capacity: 67108864
[DEBUG] 2020-12-09 11:16:21.523 [LogStash::Runner] runner - queue.max_bytes: 1073741824
[DEBUG] 2020-12-09 11:16:21.525 [LogStash::Runner] runner - queue.max_events: 0
[DEBUG] 2020-12-09 11:16:21.526 [LogStash::Runner] runner - queue.checkpoint.acks: 1024
[DEBUG] 2020-12-09 11:16:21.526 [LogStash::Runner] runner - queue.checkpoint.writes: 1024
[DEBUG] 2020-12-09 11:16:21.527 [LogStash::Runner] runner - queue.checkpoint.interval: 1000
[DEBUG] 2020-12-09 11:16:21.528 [LogStash::Runner] runner - queue.checkpoint.retry: false
[DEBUG] 2020-12-09 11:16:21.529 [LogStash::Runner] runner - dead_letter_queue.enable: false
[DEBUG] 2020-12-09 11:16:21.530 [LogStash::Runner] runner - dead_letter_queue.max_bytes: 1073741824
[DEBUG] 2020-12-09 11:16:21.537 [LogStash::Runner] runner - slowlog.threshold.warn: #<LogStash::Util::TimeValue:0x35534370 @duration=-1, @time_unit=:nanosecond>
[DEBUG] 2020-12-09 11:16:21.538 [LogStash::Runner] runner - slowlog.threshold.info: #<LogStash::Util::TimeValue:0x397b4878 @duration=-1, @time_unit=:nanosecond>

See next commit for second part of output.

Badger · December 9, 2020, 6:48pm

That looks wrong. path.config should point to a configuration file that contains inputs, outputs, and filters, not a YAML file.

NJMitchell · December 9, 2020, 7:14pm

Hi @Badger, thank you for the reply. So to clarify. I should not use the yml file in the -f argument? just the conf?

I understood to use the yml file per this note from the documentation when setting up the nssm to start logstash as a service.

Specifying command line options is useful when you are testing Logstash. However, in a production environment, we recommend that you use logstash.yml to control Logstash execution. Using the settings file makes it easier for you to specify multiple options, and it provides you with a single, versionable file that you can use to start up Logstash consistently for each run.

Running Logstash on Windows | Logstash Reference [7.9] | Elastic

Also, in my logstash.yml file path.config points to the logstash.conf.

NJMitchell · December 9, 2020, 7:16pm

second part of the CLI output from earlier...

[DEBUG] 2020-12-09 11:16:21.539 [LogStash::Runner] runner - slowlog.threshold.debug: #<LogStash::Util::TimeValue:0x3fc6ae7b @duration=-1, @time_unit=:nanosecond>
[DEBUG] 2020-12-09 11:16:21.592 [LogStash::Runner] runner - slowlog.threshold.trace: #<LogStash::Util::TimeValue:0x96160a @duration=-1, @time_unit=:nanosecond>
[DEBUG] 2020-12-09 11:16:21.594 [LogStash::Runner] runner - keystore.classname: "org.logstash.secret.store.backend.JavaKeyStore"
[DEBUG] 2020-12-09 11:16:21.596 [LogStash::Runner] runner - keystore.file: "C:/ProgramData/ELKStack/logstash-7.9.2/config/logstash.keystore"
[DEBUG] 2020-12-09 11:16:21.601 [LogStash::Runner] runner - *path.queue: "G:\\data/queue" (default: "C:/ProgramData/ELKStack/logstash-7.9.2/data/queue")
[DEBUG] 2020-12-09 11:16:21.603 [LogStash::Runner] runner - *path.dead_letter_queue: "G:\\data/dead_letter_queue" (default: "C:/ProgramData/ELKStack/logstash-7.9.2/data/dead_letter_queue")
[DEBUG] 2020-12-09 11:16:21.604 [LogStash::Runner] runner - *path.settings: "C:\\ProgramData\\ELKStack\\logstash-7.9.2\\config\\logstash.conf" (default: "C:/ProgramData/ELKStack/logstash-7.9.2/config")
[DEBUG] 2020-12-09 11:16:21.606 [LogStash::Runner] runner - *path.logs: "G:\\logs" (default: "C:/ProgramData/ELKStack/logstash-7.9.2/logs")
[DEBUG] 2020-12-09 11:16:21.632 [LogStash::Runner] runner - xpack.management.enabled: false
[DEBUG] 2020-12-09 11:16:21.634 [LogStash::Runner] runner - xpack.management.logstash.poll_interval: #<LogStash::Util::TimeValue:0x2ff19dab @duration=5, @time_unit=:second>
[DEBUG] 2020-12-09 11:16:21.636 [LogStash::Runner] runner - xpack.management.pipeline.id: ["main"]
[DEBUG] 2020-12-09 11:16:21.637 [LogStash::Runner] runner - xpack.management.elasticsearch.username: "logstash_system"
[DEBUG] 2020-12-09 11:16:21.662 [LogStash::Runner] runner - xpack.management.elasticsearch.hosts: ["https://localhost:9200"]
[DEBUG] 2020-12-09 11:16:21.665 [LogStash::Runner] runner - xpack.management.elasticsearch.ssl.verification_mode: "certificate"
[DEBUG] 2020-12-09 11:16:21.667 [LogStash::Runner] runner - xpack.management.elasticsearch.sniffing: false
[DEBUG] 2020-12-09 11:16:21.668 [LogStash::Runner] runner - *xpack.monitoring.enabled: true (default: false)
[DEBUG] 2020-12-09 11:16:21.692 [LogStash::Runner] runner - *xpack.monitoring.elasticsearch.hosts: ["https://SERVER.NAME.COM:9200"] (default: ["http://localhost:9200"])
[DEBUG] 2020-12-09 11:16:21.694 [LogStash::Runner] runner - xpack.monitoring.collection.interval: #<LogStash::Util::TimeValue:0x48cea80f @duration=10, @time_unit=:second>
[DEBUG] 2020-12-09 11:16:21.696 [LogStash::Runner] runner - xpack.monitoring.collection.timeout_interval: #<LogStash::Util::TimeValue:0x2123af21 @duration=10, @time_unit=:minute>
[DEBUG] 2020-12-09 11:16:21.697 [LogStash::Runner] runner - *xpack.monitoring.elasticsearch.username: "elastic" (default: "logstash_system")
[DEBUG] 2020-12-09 11:16:21.698 [LogStash::Runner] runner - *xpack.monitoring.elasticsearch.password: "PASSWORD"
[DEBUG] 2020-12-09 11:16:21.699 [LogStash::Runner] runner - *xpack.monitoring.elasticsearch.ssl.certificate_authority: "C:\\ProgramData\\ElkStack\\logstash-7.9.2\\config\\elastic-stack-ca.crt"
[DEBUG] 2020-12-09 11:16:21.723 [LogStash::Runner] runner - *xpack.monitoring.elasticsearch.ssl.verification_mode: "none" (default: "certificate")
[DEBUG] 2020-12-09 11:16:21.726 [LogStash::Runner] runner - xpack.monitoring.elasticsearch.sniffing: false
[DEBUG] 2020-12-09 11:16:21.728 [LogStash::Runner] runner - xpack.monitoring.collection.pipeline.details.enabled: true
[DEBUG] 2020-12-09 11:16:21.729 [LogStash::Runner] runner - xpack.monitoring.collection.config.enabled: true
[DEBUG] 2020-12-09 11:16:21.730 [LogStash::Runner] runner - monitoring.enabled: false
[DEBUG] 2020-12-09 11:16:21.760 [LogStash::Runner] runner - monitoring.elasticsearch.hosts: ["http://localhost:9200"]
[DEBUG] 2020-12-09 11:16:21.761 [LogStash::Runner] runner - monitoring.collection.interval: #<LogStash::Util::TimeValue:0x7cfc07ef @duration=10, @time_unit=:second>
[DEBUG] 2020-12-09 11:16:21.762 [LogStash::Runner] runner - monitoring.collection.timeout_interval: #<LogStash::Util::TimeValue:0x414f46af @duration=10, @time_unit=:minute>
[DEBUG] 2020-12-09 11:16:21.764 [LogStash::Runner] runner - monitoring.elasticsearch.username: "logstash_system"
[DEBUG] 2020-12-09 11:16:21.767 [LogStash::Runner] runner - monitoring.elasticsearch.ssl.verification_mode: "certificate"
[DEBUG] 2020-12-09 11:16:21.774 [LogStash::Runner] runner - monitoring.elasticsearch.sniffing: false
[DEBUG] 2020-12-09 11:16:21.776 [LogStash::Runner] runner - monitoring.collection.pipeline.details.enabled: true
[DEBUG] 2020-12-09 11:16:21.777 [LogStash::Runner] runner - monitoring.collection.config.enabled: true
[DEBUG] 2020-12-09 11:16:21.779 [LogStash::Runner] runner - node.uuid: ""
[DEBUG] 2020-12-09 11:16:21.780 [LogStash::Runner] runner - --------------- Logstash Settings -------------------
[WARN ] 2020-12-09 11:16:21.852 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[DEBUG] 2020-12-09 11:16:21.906 [LogStash::Runner] configpathloader - Skipping the following files while reading config since they don't match the specified glob pattern {:files=>["C:/ProgramData/ElkStack/logstash-7.9.2/config/elastic-stack-ca.crt", "C:/ProgramData/ElkStack/logstash-7.9.2/config/elastic-stack-ca.key", "C:/ProgramData/ElkStack/logstash-7.9.2/config/elastic-stack-ca.p12", "C:/ProgramData/ElkStack/logstash-7.9.2/config/elasticsearch-ca.pem", "C:/ProgramData/ElkStack/logstash-7.9.2/config/jvm.options", "C:/ProgramData/ElkStack/logstash-7.9.2/config/log4j2.properties", "C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.conf", "C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.crt", "C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.key", "C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.pkcs8.key", "C:/ProgramData/ElkStack/logstash-7.9.2/config/pipelines.yml", "C:/ProgramData/ElkStack/logstash-7.9.2/config/startup.options"]}
[DEBUG] 2020-12-09 11:16:21.930 [LogStash::Runner] configpathloader - Reading config file {:config_file=>"C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.yml"}
[DEBUG] 2020-12-09 11:16:21.947 [LogStash::Runner] PipelineConfig - -------- Logstash Config ---------
[DEBUG] 2020-12-09 11:16:22.000 [LogStash::Runner] PipelineConfig - Config from source, source: LogStash::Config::Source::Local, pipeline_id:: main
[DEBUG] 2020-12-09 11:16:22.018 [LogStash::Runner] PipelineConfig - Config string, protocol: file, id: C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.yml
[DEBUG] 2020-12-09 11:16:22.021 [LogStash::Runner] PipelineConfig -

path.settings: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
path.config: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
node.name: NODE.NAME
path.data: G:\data
config.debug: true
log.level: debug
path.logs: G:\logs
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "PASSWORD"
xpack.monitoring.elasticsearch.hosts: ['https://SERVER.NAME.COM:9200']
xpack.monitoring.elasticsearch.ssl.certificate_authority: C:\ProgramData\ElkStack\logstash-7.9.2\config\elastic-stack-ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: none
[DEBUG] 2020-12-09 11:16:22.023 [LogStash::Runner] PipelineConfig - Merged config
[DEBUG] 2020-12-09 11:16:22.024 [LogStash::Runner] PipelineConfig -

path.settings: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
path.config: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
node.name: NODE.NAME
path.data: G:\data
config.debug: true
log.level: debug
path.logs: G:\logs
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "PASSWORD"
xpack.monitoring.elasticsearch.hosts: ['https://SERVER.NAME.COM:9200']
xpack.monitoring.elasticsearch.ssl.certificate_authority: C:\ProgramData\ElkStack\logstash-7.9.2\config\elastic-stack-ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: none
[FATAL] 2020-12-09 11:16:22.596 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 1, column 1 (byte 1)
[ERROR] 2020-12-09 11:16:22.779 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

C:\ProgramData\ELKStack\logstash-7.9.2\bin>

Badger · December 9, 2020, 7:24pm

Remove the arguments. Do not set -f, since that sets path.config, which should not point at the yml file.

Here you can see that it is trying to read the yml as the logstash configuration, which gets an error, because the yml starts with "path.settings", which is not an input, filter, or output section.

[DEBUG] 2020-12-09 11:16:22.018 [LogStash::Runner] PipelineConfig - Config string, protocol: file, id: C:/ProgramData/ElkStack/logstash-7.9.2/config/logstash.yml
[DEBUG] 2020-12-09 11:16:22.021 [LogStash::Runner] PipelineConfig -

path.settings: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf
path.config: C:\ProgramData\ELKStack\logstash-7.9.2\config\logstash.conf

NJMitchell · December 9, 2020, 7:35pm

Hi @Badger,

Thank you again for your help. I have tried running the nssm with out anything in the arguments line and it always fails to start. I can start logstash.bat from the command line with no arguments as I initially noted.

So it seems that my configs are good then? I don't understand what the problem is. I have run logstash many different ways and these are my out comes...

Cannot get Logstash to start with nssm.exe/ Windows Services NO MATTER WHAT.

Cannot get Logstash to start with argument -f path/to/logstash.yml from CLI (No longer Relevant)

Can get Logstash to start with argument -f path/to/logstash.conf from CLI (No longer Relevant)

Can get Logstash to start with no argument from CLI

I will now rule out using -f /path/to/file.yml or .conf as I understand this is not needed due to the path.config setting I have set in the yml file.

I still cannot get logstash to start as a service with nssm although I can get it going from the command line with no arguments.

NJMitchell · December 9, 2020, 7:50pm

Also, can not get logstash to start using Task Scheduler.... Task Scheduler basically works like nssm anyways.

Badger · December 9, 2020, 8:20pm

logstash does not bundle a JDK until 7.10. In 7.9.2 it will look in %JAVA_HOME% or expect java.exe to be in the path. You may be ending up here.

NJMitchell · December 9, 2020, 8:59pm

Hi @Badger,

Are you saying that Logstash7.9.2 does not work with Java JDK 14.0.2?

I have the java installed with default settings and the JAVA_HOME variable points to the default Java install location: C:\Program Files\Java\jdk-14.0.2

That's weird because I can run the Logstash from the CLI, and this Java version works there as well as for Elasticsearch and Kibana.

I picked the Java JDK14 based on this matrix where it looks like Logstash 7.9.x supports it.

Elastic Support Matrix | Elasticsearch

Is there a way of testing the Java compatibility with running Logstash via Windows Services with nssm.exe?

Like I've pointed out before, I can run Logstash from the command line but I cannot get it to run as a windows service with nssm.exe. This is for a production instance so having Logstash running on it own is a requirement.

Badger · December 9, 2020, 9:06pm

No, I am saying that the system environment variables that are seen by a service may not include JAVA_HOME, and that PATH may not include java.exe for a service.

Try replacing Path: C:\ProgramData\ELKStask\logstash-7.9.2\bin\logstash.bat in the NSSM configuration with a batch script that sets JAVA_HOME and then calls C:\ProgramData\ELKStask\logstash-7.9.2\bin\logstash.bat

NJMitchell · December 9, 2020, 10:52pm

@Badger,

Thank you for the suggestion... It led me to investigate what was going on with the JAVA_HOME as that was set. Long story short, there was an overlooked PATH problem in the environment variables. Once corrected everything worked as it was supposed to.

My ELK Stack is working and we will be migrating over.

system · January 6, 2021, 10:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.