Hello everyone
I am new with Logstash and i trying to start Logstash 8.6.2 on a Windows Server 2019 Server to forward syslogs from a Firewall to Wazuh.
When I try to run as administrator in PS the command C:\logstash-8.6.2\bin\logstash.bat -f C:\logstash-8.6.2\config\logstash.conf I get the following error message:
[ERROR] [logstash.config.sourceloader] No configuration found in the configured sources.
Before this, a line appears indicating the following:
[INFO] [logstash.config.source.local.configpathloader] No config files found in path {:path=>"C:/logstash-8.6.2/config/logstash.conf"}
The strange thing is that this configuration file does exist, and the path is correct, but I don't understand why that error message appears. Please, could you help me to identify what is the problem that I am having?
A little bit stupid question, does logstash.conf exist? It might be logstash.conf.txt where .txt is not visible. Can you list C:\logstash-8.6.2\config\ from command line or PShell?
Another option is to install Oracle JDK(not OpenJDK), that helped me once on Linux. AFAIK, normally LS should use JDK from subfolder, if I'm not wrong.
Yes, i check on the command line that the logstash file only had the .conf extension.
I download the Oracle JDK from here: JDK 19 Releases
But when I unzip the file, I can't find an executable or something similar to install it, so Oracle JDK is executed to do the test?
I think the clue is in the wording of the error message: "No config files found in path C:....."
Files, not file.
Logstash can load multiple files with the *.conf extension from a configuration DIRECTORY. Try starting it with the path to the directory/folder with the configuration file(s). As long as the file ends with .conf, Logstash should see it and load it.
This feature also means that if you should ever want to disable a config file, you do not need to delete it. All you need to do is to rename it so it no longer ends in .conf. Add a .disabled is the standard I think.
Okay. I stand corrected. But there is something about file extensions being relevant for Logstash modules? Or is that Filebeat modules? Something about the modules being shipped out-of-the-box with a .disabled extension, and enabling them (either with a little enable tool, or manually) just involves deleting or adding the .disabled extension?
I am surprised that a similar convention is not applied to conf/filter files.
"You create pipeline configuration files when you define the stages of your Logstash processing pipeline. On deb and rpm, you place the pipeline configuration files in the /etc/logstash/conf.d directory. Logstash tries to load only files with .conf extension in the /etc/logstash/conf.d directory and ignores all other files."
As I said, if you point path.config at a directory then it will read everything in the directory. If I point path.config to a /tmp/conf.d directory that contains two files, one a valid configuration and the other a few megabytes of /dev/random then logstash will complain
[ 2023-03-18T14:47:23,218][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2023-03-18T14:47:23,610][ERROR][logstash.config.sourceloader] Could not fetch all the sources {:exception=>LogStash::ConfigLoadingError, :message=>"The following config files contains non-ascii characters but are not UTF-8 encoded ["/tmp/conf.d/zzz.disabled"]",
[2023-03-18T14:47:26,617][ERROR][logstash.config.sourceloader] No source loaders matched! This shouldn't happen
[2023-03-18T14:47:26,987][ERROR][logstash.agent ] An exception happened when converging configuration {:exception=>LogStash::InvalidSourceLoaderSettingError, :message=>"Can't find an appropriate config loader with current settings"}
It is entirely plausible that when using the deb or rpm packages the default value for path.config is /etc/logstash/conf.d/*.conf, in which case you would get something similar to
[2023-03-18T14:54:24,069][DEBUG][logstash.config.source.local.configpathloader] Skipping the following files while reading config since they don't match the specified glob pattern {:files=>["/tmp/conf.d/zzz.disabled"]}
[2023-03-18T14:54:24,071][DEBUG][logstash.config.source.local.configpathloader] Reading config file {:config_file=>"/tmp/conf.d/test.conf"}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.