Not able to Run Logstash .Conf file in ELK 5.4 (Current) Version

Pandiyan_M · June 22, 2017, 2:12pm

Hi,

I have prepared logstash.conf under/etc/logstash/conf.d/filelog.conf as below

input {
  file {
    path => "/var/log/file.log"
    codec => json
    start_position => "beginning"
   }
}
filter{

    grok {
      match => [ "message", %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} (?<logger>(?:[a-zA-Z0-9]+\.)*[-A-Za-z0-9$]+) %{GREEDYDATA:message}
      overwrite => [ "message" ]
  }

}
output {
        elasticsearch {
                codec => rubydebug
                host => ['10.141.126.46:9200']
                index => 'filelogs-%{+YYYY.MM.dd}'
        }
}

Where my logstash.yml settings are

# Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data
#
  path.data: /var/lib/logstash

# ------------ Pipeline Configuration Settings --------------
#
# Where to fetch the pipeline configuration for the main pipeline
#
  path.config: /etc/logstash/conf.d

I tried to run logstash.conf in different method as below

#Method 1
bin/logstash -f /etc/logstash/conf.d/filelog.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs to console
19:04:25.883 [LogStash::Runner] FATAL logstash.runner - Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the "path.data" setting.

#Method 2
bin/logstash --path.config /etc/logstash/conf.d/filelog.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs to console
19:08:53.683 [LogStash::Runner] FATAL logstash.runner - Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the "path.data" setting.

#method 3

 sudo -Hu logstash /usr/share/logstash/bin/logstash --path.settings=/etc/logstash/logstash.yml -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path //etc/logstash/logstash.yml/log4j2.properties. Using default config which logs to console
19:35:38.826 [main] FATAL logstash.runner - An unexpected error occurred! {:error=>#<ArgumentError: Path "/usr/share/logstash/data/queue" must be a writable directory. It is not writable.>, :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/settings.rb:433:in `validate'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:216:in `validate_value'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:132:in `validate_all'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/settings.rb:131:in `validate_all'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:217:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:185:in `run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:in `run'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}

No luck Please help me how to run

Makra · June 23, 2017, 5:30pm

Hi
@Pandiyan_M
There is another instance of logstash is running in your system. Find out the ID of the logstash that is running using $ ps -aux | grep logstash and then get rid of it using kill command. You can also use $ service logstash stop if it has been already started during the system boot. The third error is due to the permission on the data directory. Change the permission of data directory to 777 using chmod command.

Pandiyan_M · June 26, 2017, 5:10am

ps -aux | grep logstash
logstash 12902 13.8  5.0 3767524 404988 ?      SNsl 10:35   0:33 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xms256m -Xss2048k -Djffi.boot.library.path=/usr/share/logstash/vendor/jruby/lib/jni -Xbootclasspath/a:/usr/share/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/logstash/vendor/jruby -Djruby.lib=/usr/share/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main /usr/share/logstash/lib/bootstrap/environment.rb logstash/runner.rb --path.settings /etc/logstash
root     12942  0.0  0.0 112648   960 pts/0    S+   10:39   0:00 grep --color=auto logstash

It was running under Logstash uesr account as per process output, but there is no logstash user in my machine, let me know how to kill above one

Pandiyan_M · June 26, 2017, 5:24am

I have stopped logstash services and ran as below

    [root@elk-centos logstash]# bin/logstash --path.config /etc/logstash/conf.d/filelog.conf
    WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
    Could not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs to console
    10:50:52.889 [LogStash::Runner] ERROR logstash.agent - Cannot create pipeline {:reason=>"Expected one of #, \", ', -, [, { at line 11, column 29 (byte 167) after filter{\n    \n    grok {      \n      match => [ \"message\", "}
    [root@elk-centos logstash]# ls /etc/logstash/
    conf.d  jvm.options  log4j2.properties  logstash.conf  logstash.yml  startup.options


[root@elk-centos logstash]# ls -ltrh /etc/logstash/
total 28K
-rw-r--r-- 1 root root 1.7K Jun 15 08:34 startup.options
-rw-r--r-- 1 root root 1.4K Jun 15 08:34 log4j2.properties
-rw-r--r-- 1 root root 1.7K Jun 15 08:34 jvm.options
-rw-r--r-- 1 root root  180 Jun 21 17:53 logstash.conf
-rw-r--r-- 1 root root 4.4K Jun 22 19:17 logstash.yml
drwxrwxr-x 2 root root 4.0K Jun 26 10:35 conf.d

File is located under same directory and it was root user so no file permission issue. May I know how to solve it

magnusbaeck · June 26, 2017, 7:23am

Enclose your grok expression in quotes (single or double).

match => ["message", "..."]

system · July 24, 2017, 7:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.