No config files found in path

Hello everyone
I am new with Logstash and i trying to start Logstash 8.6.2 on a Windows Server 2019 Server to forward syslogs from a Firewall to Wazuh.
When I try to run as administrator in PS the command C:\logstash-8.6.2\bin\logstash.bat -f C:\logstash-8.6.2\config\logstash.conf I get the following error message:

error1393×253 302 KB

[ERROR] [logstash.config.sourceloader] No configuration found in the configured sources.

Before this, a line appears indicating the following:

[INFO] [logstash.config.source.local.configpathloader] No config files found in path {:path=>"C:/logstash-8.6.2/config/logstash.conf"}

The strange thing is that this configuration file does exist, and the path is correct, but I don't understand why that error message appears. Please, could you help me to identify what is the problem that I am having?

Regards

Try with additional path settings:
C:\logstash-8.6.2\bin\logstash.bat -f C:\logstash-8.6.2\config\logstash.conf --path.settings C:\logstash-8.6.2\config

Hi @Rios
Thanks for your reply. When i try to run that, i get the command syntax is not correct.

Regards.

What is the content of the file C:\logstash-8.6.2\config\logstash.conf? Can you share it?

Hi @leandrojmp
This is the content of the file:

input {
   syslog {
      port => 514
   }
}

output {
   file {
      path => "C:\logstash-8.6.2\logs\file_name.log"
      codec => "line"
   }
}

Try to pass the full path to the config between double quotes.

C:\logstash-8.6.2\bin\logstash.bat -f "C:\logstash-8.6.2\config\logstash.conf"

Or try to use backslashes

C:\logstash-8.6.2\bin\logstash.bat -f "C:/logstash-8.6.2/config/logstash.conf"

Also

file {
      path => "C:/logstash-8.6.2/logs/file_name.log"
      codec => "line"
   }

I tried both ways, but it didn't work:

4324908×245 273 KB

Capturaee1103×257 301 KB

I modified the logstash.conf file and it was as follows:

input {
   syslog {
      port => 514
   }
}

output {
   file {
      path => "C:/logstash-8.6.2/logs/file_name.log"
      codec => "line"
   }
}

and

input {
   syslog {
      port => 514
   }
}

output {
   file {
      path => "C:\logstash\logs\file_name.log"
      codec => "line"
   }
}

I save both versions and run the commands they recommended here and it didn't work.

A little bit stupid question, does logstash.conf exist? It might be logstash.conf.txt where .txt is not visible. Can you list C:\logstash-8.6.2\config\ from command line or PShell?

Another option is to install Oracle JDK(not OpenJDK), that helped me once on Linux. AFAIK, normally LS should use JDK from subfolder, if I'm not wrong.

Yes, i check on the command line that the logstash file only had the .conf extension.

I download the Oracle JDK from here: JDK 19 Releases
But when I unzip the file, I can't find an executable or something similar to install it, so Oracle JDK is executed to do the test?

That is OpenJDK, use this.

I think the clue is in the wording of the error message: "No config files found in path C:....."

Files, not file.

Logstash can load multiple files with the *.conf extension from a configuration DIRECTORY. Try starting it with the path to the directory/folder with the configuration file(s). As long as the file ends with .conf, Logstash should see it and load it.

This feature also means that if you should ever want to disable a config file, you do not need to delete it. All you need to do is to rename it so it no longer ends in .conf. Add a .disabled is the standard I think.

I do not believe it has to end in conf. If you point path.config at a directory then it will try to read everything in the directory.

Okay. I stand corrected. But there is something about file extensions being relevant for Logstash modules? Or is that Filebeat modules? Something about the modules being shipped out-of-the-box with a .disabled extension, and enabling them (either with a little enable tool, or manually) just involves deleting or adding the .disabled extension?

I am surprised that a similar convention is not applied to conf/filter files.

Or maybe I do not stand corrected

• "You create pipeline configuration files when you define the stages of your Logstash processing pipeline. On deb and rpm, you place the pipeline configuration files in the /etc/logstash/conf.d directory. Logstash tries to load only files with .conf extension in the /etc/logstash/conf.d directory and ignores all other files."

https://www.elastic.co/guide/en/logstash/current/config-setting-files.html

As I said, if you point path.config at a directory then it will read everything in the directory. If I point path.config to a /tmp/conf.d directory that contains two files, one a valid configuration and the other a few megabytes of /dev/random then logstash will complain

[ 2023-03-18T14:47:23,218][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2023-03-18T14:47:23,610][ERROR][logstash.config.sourceloader] Could not fetch all the sources {:exception=>LogStash::ConfigLoadingError, :message=>"The following config files contains non-ascii characters but are not UTF-8 encoded ["/tmp/conf.d/zzz.disabled"]",
[2023-03-18T14:47:26,617][ERROR][logstash.config.sourceloader] No source loaders matched! This shouldn't happen
[2023-03-18T14:47:26,987][ERROR][logstash.agent ] An exception happened when converging configuration {:exception=>LogStash::InvalidSourceLoaderSettingError, :message=>"Can't find an appropriate config loader with current settings"}

It is entirely plausible that when using the deb or rpm packages the default value for path.config is /etc/logstash/conf.d/*.conf, in which case you would get something similar to

[2023-03-18T14:54:24,069][DEBUG][logstash.config.source.local.configpathloader] Skipping the following files while reading config since they don't match the specified glob pattern {:files=>["/tmp/conf.d/zzz.disabled"]}
[2023-03-18T14:54:24,071][DEBUG][logstash.config.source.local.configpathloader] Reading config file {:config_file=>"/tmp/conf.d/test.conf"}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.