One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

Elastic Stack Logstash
1

Hi Guys,
I have logstash running on a windows machine.
My inputs and parsers are set up correctly and everything works fine.
The only issue I have - when I start the logstash process, it wont ingest files, instead it just hangs with the following message - "Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}"

Only when I break with "ctrl c" it will ingest the files on exit and send them to elastic with the message - "closing all files and shuting down"

How do I make it work without closing the process?

Thanks.

2

This message is normal, it says that logstash is running the main pipeline.

What is your pipeline configuration? Please share your full pipeline configuration and an example of what you are ingesting.

3

configuration:

input
{
    file
        {
            path => "C:/Evidence/ScheduledTasks/**/*.xml"
            start_position => "beginning"
			stat_interval => "5"
            discover_interval => "5"
            sincedb_path => "NUL"
            exclude => "*.gz"
            type => "xml"
            codec => multiline {
                    pattern => "<Task " 
                    negate => "true"
                    what => "previous"
                }
        }
}

filter {
       if [message] =~ /<\?xml/ { drop {} }

}


filter {

    xml{
        source => "message"
		remove_namespaces => true
        store_xml => true
        target => "Task"
        xpath => [
            "//Task/RegistrationInfo/SecurityDescriptor/text()", "RegistrationInfo.SecurityDescriptor",
            "//Task/RegistrationInfo/Source/text()", "RegistrationInfo.Source",
            "//Task/RegistrationInfo/Author/text()", "RegistrationInfo.Author",
            "//Task/RegistrationInfo/Description/text()", "RegistrationInfo.Description",
			"//Task/RegistrationInfo/Version/text()", "RegistrationInfo.Version",
            "//Task/RegistrationInfo/URI/text()", "RegistrationInfo.TaskName",
			"//Task/Actions/Exec/Command/text()", "Actions.Command",
			"//Task/Actions/Exec/Arguments/text()", "Actions.Arguments",
			"//Task/Principals/Principal/@id", "Principals.PrincipalID",
			"//Task/Principals/Principal/UserId/text()", "Principal.UserId",
			"//Task/Principals/Principal/LogonType/text()", "Principal.LogonType",
			"//Task/Principals/Principal/RunLevel/text()", "Principal.RunLevel",
			"//Task/Settings/Enabled/text()", "Settings.TaskStatus",
			"//Task/Settings/Hidden/text()", "Settings.Hidden",
			"//Task/Settings/AllowStartOnDemand/text()", "Settings.AllowStartOnDemand",
			"//Task/Settings/RunOnlyIfIdle/text()", "Settings.RunOnlyIfIdle",
			"//Task/Settings/DisallowStartOnRemoteAppSession/text()", "Settings.DisallowStartOnRemoteAppSession",
			"//Task/Settings/UseUnifiedSchedulingEngine/text()", "Settings.UseUnifiedSchedulingEngine",
			"//Task/Settings/WakeToRun/text()", "Settings.WakeToRun",
			"//Task/Settings/ExecutionTimeLimit/text()", "Settings.ExecutionTimeLimit",
			"//Task/Settings/Priority/text()", "Settings.Priority",
			"//Task/Settings/IdleSettings/Duration/text()", "IdleSettings.Duration",
			"//Task/Settings/IdleSettings/WaitTimeout/text()", "IdleSettings.WaitTimeout",
			"//Task/Settings/IdleSettings/StopOnIdleEnd/text()", "IdleSettings.StopOnIdleEnd",
			"//Task/Settings/IdleSettings/RestartOnIdle/text()", "IdleSettings.RestartOnIdle",
			"//Task/Triggers/LogonTrigger/Enabled/text()", "LogonTrigger.Enabled",
			"//Task/Triggers/RegistrationTrigger/Enabled/text()", "RegistrationTrigger.Enabled",
			"//Task/Triggers/RegistrationTrigger/Delay/text()", "RegistrationTrigger.Delay",
			"//Task/Triggers/CalendarTrigger/StartBoundary/text()", "CalendarTrigger.TriggerStartsOn",
			"//Task/Triggers/TimeTrigger/StartBoundary/text()", "TimeTrigger.TriggerStartsOn",
			"//Task/Triggers/TimeTrigger/Enabled/text()", "TimeTrigger.Enabled"
			

        ]
    }

}





output{

elasticsearch{
        hosts => ["http://localhost:9200/"]
        index => "xml_data"
    }


}

XML:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Version>1.3.36.112</Version>
    <Description>Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.</Description>
    <URI>\GoogleUpdateTaskMachineCore</URI>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
    <CalendarTrigger>
      <StartBoundary>2021-11-24T09:31:27</StartBoundary>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <Enabled>true</Enabled>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Command>
      <Arguments>/c</Arguments>
    </Exec>
  </Actions>
</Task>
5

After enabling DEBUG mode, I noticed the following message - One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

6

The subject has been changed

7

Have you tried using the auto_flush_interval option? If that is not set then the codec will not flush an event until shutdown, or a line that matches the regexp is appended to the file.

9

Problem solved......
THANKS Badger !!!

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.