One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

rusty_cole · December 22, 2021, 1:37pm

Hi Guys,
I have logstash running on a windows machine.
My inputs and parsers are set up correctly and everything works fine.
The only issue I have - when I start the logstash process, it wont ingest files, instead it just hangs with the following message - "Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}"

Only when I break with "ctrl c" it will ingest the files on exit and send them to elastic with the message - "closing all files and shuting down"

How do I make it work without closing the process?

Thanks.

leandrojmp · December 22, 2021, 1:48pm

This message is normal, it says that logstash is running the main pipeline.

What is your pipeline configuration? Please share your full pipeline configuration and an example of what you are ingesting.

rusty_cole · December 22, 2021, 2:08pm

configuration:

input
{
    file
        {
            path => "C:/Evidence/ScheduledTasks/**/*.xml"
            start_position => "beginning"
			stat_interval => "5"
            discover_interval => "5"
            sincedb_path => "NUL"
            exclude => "*.gz"
            type => "xml"
            codec => multiline {
                    pattern => "<Task " 
                    negate => "true"
                    what => "previous"
                }
        }
}

filter {
       if [message] =~ /<\?xml/ { drop {} }

}


filter {

    xml{
        source => "message"
		remove_namespaces => true
        store_xml => true
        target => "Task"
        xpath => [
            "//Task/RegistrationInfo/SecurityDescriptor/text()", "RegistrationInfo.SecurityDescriptor",
            "//Task/RegistrationInfo/Source/text()", "RegistrationInfo.Source",
            "//Task/RegistrationInfo/Author/text()", "RegistrationInfo.Author",
            "//Task/RegistrationInfo/Description/text()", "RegistrationInfo.Description",
			"//Task/RegistrationInfo/Version/text()", "RegistrationInfo.Version",
            "//Task/RegistrationInfo/URI/text()", "RegistrationInfo.TaskName",
			"//Task/Actions/Exec/Command/text()", "Actions.Command",
			"//Task/Actions/Exec/Arguments/text()", "Actions.Arguments",
			"//Task/Principals/Principal/@id", "Principals.PrincipalID",
			"//Task/Principals/Principal/UserId/text()", "Principal.UserId",
			"//Task/Principals/Principal/LogonType/text()", "Principal.LogonType",
			"//Task/Principals/Principal/RunLevel/text()", "Principal.RunLevel",
			"//Task/Settings/Enabled/text()", "Settings.TaskStatus",
			"//Task/Settings/Hidden/text()", "Settings.Hidden",
			"//Task/Settings/AllowStartOnDemand/text()", "Settings.AllowStartOnDemand",
			"//Task/Settings/RunOnlyIfIdle/text()", "Settings.RunOnlyIfIdle",
			"//Task/Settings/DisallowStartOnRemoteAppSession/text()", "Settings.DisallowStartOnRemoteAppSession",
			"//Task/Settings/UseUnifiedSchedulingEngine/text()", "Settings.UseUnifiedSchedulingEngine",
			"//Task/Settings/WakeToRun/text()", "Settings.WakeToRun",
			"//Task/Settings/ExecutionTimeLimit/text()", "Settings.ExecutionTimeLimit",
			"//Task/Settings/Priority/text()", "Settings.Priority",
			"//Task/Settings/IdleSettings/Duration/text()", "IdleSettings.Duration",
			"//Task/Settings/IdleSettings/WaitTimeout/text()", "IdleSettings.WaitTimeout",
			"//Task/Settings/IdleSettings/StopOnIdleEnd/text()", "IdleSettings.StopOnIdleEnd",
			"//Task/Settings/IdleSettings/RestartOnIdle/text()", "IdleSettings.RestartOnIdle",
			"//Task/Triggers/LogonTrigger/Enabled/text()", "LogonTrigger.Enabled",
			"//Task/Triggers/RegistrationTrigger/Enabled/text()", "RegistrationTrigger.Enabled",
			"//Task/Triggers/RegistrationTrigger/Delay/text()", "RegistrationTrigger.Delay",
			"//Task/Triggers/CalendarTrigger/StartBoundary/text()", "CalendarTrigger.TriggerStartsOn",
			"//Task/Triggers/TimeTrigger/StartBoundary/text()", "TimeTrigger.TriggerStartsOn",
			"//Task/Triggers/TimeTrigger/Enabled/text()", "TimeTrigger.Enabled"
			

        ]
    }

}





output{

elasticsearch{
        hosts => ["http://localhost:9200/"]
        index => "xml_data"
    }


}

XML:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Version>1.3.36.112</Version>
    <Description>Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.</Description>
    <URI>\GoogleUpdateTaskMachineCore</URI>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
    <CalendarTrigger>
      <StartBoundary>2021-11-24T09:31:27</StartBoundary>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <Enabled>true</Enabled>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Command>
      <Arguments>/c</Arguments>
    </Exec>
  </Actions>
</Task>

rusty_cole · December 22, 2021, 4:14pm

After enabling DEBUG mode, I noticed the following message - One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

rusty_cole · December 22, 2021, 4:41pm

The subject has been changed

Badger · December 22, 2021, 5:13pm

Have you tried using the auto_flush_interval option? If that is not set then the codec will not flush an event until shutdown, or a line that matches the regexp is appended to the file.

rusty_cole · December 22, 2021, 5:21pm

Problem solved......
THANKS Badger !!!

system · January 19, 2022, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with unintentionally becoming non_running in Logstash management Logstash jdbc	7	187	June 18, 2024
Multiple Pipelines throwing errors when enabled Logstash	10	1413	January 11, 2022
Logstash Pipeline Erro Logstash	3	12	October 7, 2024
Multiple Logstash pipelines Logstash	17	1388	June 26, 2019
Logstash is not generating log file Logstash	5	5028	November 8, 2019

One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

Related Topics