Pipeline is running but index is not created at elasticsearch

Yasser_Alsawy · May 21, 2023, 10:27am

I'm trying to create an index and loading one log file to Elasticsearch using logstash using below config:

input {
file {
   path => ["/mnt/c/databalanceInfo_0.log"]
   start_position => "beginning"
   sincedb_path => "/dev/null"
 }
}

output {
  elasticsearch {
            hosts => [ "localhost:9200"]
            index => "balance_no_grok"
        }
  stdout { }
}

but I get pipeline is running and no index is getting created:

sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf -r
Using LS_JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64.
WARNING: Using LS_JAVA_HOME while Logstash distribution comes with a bundled JDK.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2023-05-21 12:42:10.008 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2023-05-21 12:42:10.010 [main] runner - Starting Logstash {"logstash.version"=>"7.17.10", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 17.0.6+10-Ubuntu-0ubuntu120.04.1 on 17.0.6+10-Ubuntu-0ubuntu120.04.1 +indy +jit [linux-x86_64]"}
[INFO ] 2023-05-21 12:42:10.011 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED]
[WARN ] 2023-05-21 12:42:10.126 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2023-05-21 12:42:10.633 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2023-05-21 12:42:10.977 [Converge PipelineAction::Create<main>] Reflections - Reflections took 41 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2023-05-21 12:42:11.191 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 12:42:11.222 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 12:42:11.255 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 12:42:11.279 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2023-05-21 12:42:11.376 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[INFO ] 2023-05-21 12:42:11.516 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2023-05-21 12:42:11.686 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2023-05-21 12:42:11.695 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (8.7.1) {:es_version=>8}
[WARN ] 2023-05-21 12:42:11.696 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[INFO ] 2023-05-21 12:42:11.722 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-21 12:42:11.724 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-21 12:42:11.749 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[INFO ] 2023-05-21 12:42:11.763 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x5f91ab90 run>"}
[INFO ] 2023-05-21 12:42:12.225 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.46}
[INFO ] 2023-05-21 12:42:12.258 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2023-05-21 12:42:12.285 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2023-05-21 12:42:12.296 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

stephenb · May 21, 2023, 3:00pm

Is that correct? ^^^

Also,c heck the logs file is there and accessible/permissions?

Do you see anything from your stdout { } if not then logstash is not reading / processing anything.

Can you also try a local file?

How many lines in the file? is there more than 1?

Yasser_Alsawy · May 21, 2023, 7:20pm

I changed the config file to read from a local file even the previous file was already local but mounted from windows system to this WSL ubuntu:

input {
file {
   path => ["/home/yasser/balance_inquiry.log"]
   start_position => "beginning"
   sincedb_path => "/dev/null"
 }
}

output {
  elasticsearch {
            hosts => [ "localhost:9200"]
            index => "balance_no_grok"
        }
  stdout { }
}

pipelines.yml was containing:

- pipeline.id: main
  path.config: "/etc/logstash/conf.d/*.conf"

I changed it to contain only the conf file I started logstash with using -f:

- pipeline.id: main
  path.config: "/etc/logstash/conf.d/logstash.conf"

now running but getting almost same output without reading the file as I understand:

yasser@Yasser-Dell:/usr/share/logstash$ bin/logstash -f /etc/logstash/conf.d/logstash.conf
Using JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64
WARNING: Using JAVA_HOME while Logstash distribution comes with a bundled JDK.
DEPRECATION: The use of JAVA_HOME is now deprecated and will be removed starting from 8.0. Please configure LS_JAVA_HOME instead.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2023-05-21 22:18:08.927 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2023-05-21 22:18:08.932 [main] runner - Starting Logstash {"logstash.version"=>"7.17.10", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 17.0.6+10-Ubuntu-0ubuntu120.04.1 on 17.0.6+10-Ubuntu-0ubuntu120.04.1 +indy +jit [linux-x86_64]"}
[INFO ] 2023-05-21 22:18:08.934 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED]
[WARN ] 2023-05-21 22:18:09.163 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2023-05-21 22:18:10.016 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2023-05-21 22:18:10.621 [Converge PipelineAction::Create<main>] Reflections - Reflections took 96 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2023-05-21 22:18:10.996 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 22:18:11.035 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 22:18:11.080 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-21 22:18:11.111 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2023-05-21 22:18:11.263 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[INFO ] 2023-05-21 22:18:11.526 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2023-05-21 22:18:11.722 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2023-05-21 22:18:11.744 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (8.7.1) {:es_version=>8}
[WARN ] 2023-05-21 22:18:11.747 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[INFO ] 2023-05-21 22:18:11.797 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-21 22:18:11.797 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-21 22:18:11.849 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[INFO ] 2023-05-21 22:18:11.881 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x6b5692ce run>"}
[INFO ] 2023-05-21 22:18:12.730 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.83}
[INFO ] 2023-05-21 22:18:12.785 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2023-05-21 22:18:12.832 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2023-05-21 22:18:12.865 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

stephenb · May 21, 2023, 7:48pm

Hi @Yasser_Alsawy

What version?

Your config and files look pretty nothing obvious to me.

And the logstash logs look like a normal startup.

And in my opinion you're debugging the correct way by running it by from the command line with –f and you can also run -r for reload

Which means it's usually something subtle and then we're both going to go ... Ohh we should have seen that

Here are some thoughts...

And to be clear do you see anything come out of the standard out? Yes or zno

Second I noticed sudo sometimes other times not... Some systems you need sudo to write to /dev/null

And again, how many lines do you have in your log file? If it is single line with no carriage return it will not load. Logstash is line oriented.

What are the permissions of your the log file that you're trying to load.

You could also add a stdin input and make sure you see output...

These are just some thoughts

Yasser_Alsawy · May 21, 2023, 9:23pm

logstash 7.17.10
Elasticsearch 8.7.1

my input file is huge. It was 1M (more than 4K lines) then I kept only tens of lines for testing.

my config file permission:
-rw-r--r-- 1 yasser yasser 266 May 21 22:09 /etc/logstash/conf.d/logstash.conf

my input file permission:
-rw-r--r-- 1 yasser yasser 15611 May 21 22:07 balance_inquiry.log

stephenb · May 21, 2023, 9:35pm

Good on testing smaller file,
You still did not answer if you see anything on the console from the stdout output... Assuming no.

Are You are running this on Windows (I see Dell)? What OS ?

Also you can set the logstash logs to debug see here

When you look at the sample log file permission the owning directory also needs to be readable

stephenb · May 21, 2023, 9:45pm

Try taking off the array

path => ["/home/yasser/balance_inquiry.log"]
To

path => "/home/yasser/balance_inquiry.log"

Although the array should work

You might need to put a space for the brackets

path => [ "/home/yasser/balance_inquiry.log" ]

Yup bet that is it see here for correct syntax

Yasser_Alsawy · May 22, 2023, 7:04am

I'm running Ubuntu 20.04.6 LTS as Windows 11 WSL
I shared you all output I get after running Logstash including STDOUT which does not include any reading of input file.

I opened log4j.properties at /etc/logstash but could not find any of:
logger.elasticsearchoutput.name =
logger.elasticsearchoutput.level =
should I add them?

also I'm not able to find /logs directory.
my installation is at /usr/share/logstash and my configuration is at /etc/logstash but /logs is neither at /etc/logstash nor /usr/share/logstash
Is it specified at log4j.properties as I can find many paths but I do not know what ${sys:ls.logs} is!

appender.rolling.fileName = ${sys:ls.logs}/logstash-plain.log
appender.json_rolling.fileName = ${sys:ls.logs}/logstash-json.log
appender.routing.pipeline.fileName = ${sys:ls.logs}/pipeline_${ctx:pipeline.id}.log
appender.routing.pipeline.fileName = ${sys:ls.logs}/pipeline_${ctx:pipeline.id}.log
appender.json_rolling_slowlog.fileName = ${sys:ls.logs}/logstash-slowlog-json.log
appender.deprecation_rolling.fileName = ${sys:ls.logs}/logstash-deprecation.log
appender.rolling_slowlog.fileName = ${sys:ls.logs}/logstash-slowlog-plain.log

finally I have changed /etc/logstash/donf.d/logstash.conf into:

input {
file {
   path => "/home/yasser/balance_inquiry.log"
   start_position => "beginning"
   sincedb_path => "/dev/null"
 }
}

output {
  elasticsearch {
            hosts => "localhost:9200"
            index => "balance_no_grok"
        }
  stdout { }
}

I ran:

yasser@Yasser-Dell:~$ /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf -r
Using LS_JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64.
WARNING: Using LS_JAVA_HOME while Logstash distribution comes with a bundled JDK.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2023-05-22 09:59:21.132 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2023-05-22 09:59:21.135 [main] runner - Starting Logstash {"logstash.version"=>"7.17.10", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 17.0.6+10-Ubuntu-0ubuntu120.04.1 on 17.0.6+10-Ubuntu-0ubuntu120.04.1 +indy +jit [linux-x86_64]"}
[INFO ] 2023-05-22 09:59:21.137 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED]
[WARN ] 2023-05-22 09:59:21.268 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2023-05-22 09:59:21.821 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2023-05-22 09:59:22.111 [Converge PipelineAction::Create<main>] Reflections - Reflections took 42 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2023-05-22 09:59:22.321 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 09:59:22.341 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 09:59:22.363 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 09:59:22.379 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2023-05-22 09:59:22.457 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[INFO ] 2023-05-22 09:59:22.585 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2023-05-22 09:59:22.676 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2023-05-22 09:59:22.686 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (8.7.1) {:es_version=>8}
[WARN ] 2023-05-22 09:59:22.687 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[INFO ] 2023-05-22 09:59:22.717 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-22 09:59:22.717 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-22 09:59:22.744 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[INFO ] 2023-05-22 09:59:22.759 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x283ec0a4 run>"}
[INFO ] 2023-05-22 09:59:23.154 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.39}
[INFO ] 2023-05-22 09:59:23.196 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2023-05-22 09:59:23.223 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2023-05-22 09:59:23.235 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

As you can see to stdout showing any reading and I tried finding the index:

yasser@Yasser-Dell:~$ curl -XGET 127.0.0.1:9200/balance_no_grok/_search?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "index_not_found_exception",
        "reason" : "no such index [balance_no_grok]",
        "resource.type" : "index_or_alias",
        "resource.id" : "balance_no_grok",
        "index_uuid" : "_na_",
        "index" : "balance_no_grok"
      }
    ],
    "type" : "index_not_found_exception",
    "reason" : "no such index [balance_no_grok]",
    "resource.type" : "index_or_alias",
    "resource.id" : "balance_no_grok",
    "index_uuid" : "_na_",
    "index" : "balance_no_grok"
  },
  "status" : 404
}

Yasser_Alsawy · May 22, 2023, 7:08am

also I tried running using sudo but no difference in printed output and index is still not created:

yasser@Yasser-Dell:~$ sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf -r
[sudo] password for yasser:
Using LS_JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64.
WARNING: Using LS_JAVA_HOME while Logstash distribution comes with a bundled JDK.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2023-05-22 10:06:19.321 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2023-05-22 10:06:19.324 [main] runner - Starting Logstash {"logstash.version"=>"7.17.10", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 17.0.6+10-Ubuntu-0ubuntu120.04.1 on 17.0.6+10-Ubuntu-0ubuntu120.04.1 +indy +jit [linux-x86_64]"}
[INFO ] 2023-05-22 10:06:19.325 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED]
[WARN ] 2023-05-22 10:06:19.439 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2023-05-22 10:06:19.962 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2023-05-22 10:06:20.256 [Converge PipelineAction::Create<main>] Reflections - Reflections took 47 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2023-05-22 10:06:20.459 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 10:06:20.479 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 10:06:20.500 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-22 10:06:20.514 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2023-05-22 10:06:20.590 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[INFO ] 2023-05-22 10:06:20.711 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2023-05-22 10:06:20.797 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2023-05-22 10:06:20.804 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (8.7.1) {:es_version=>8}
[WARN ] 2023-05-22 10:06:20.806 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[INFO ] 2023-05-22 10:06:20.830 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-22 10:06:20.831 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-22 10:06:20.860 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[INFO ] 2023-05-22 10:06:20.874 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x3fbde3a9 run>"}
[INFO ] 2023-05-22 10:06:21.265 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.39}
[INFO ] 2023-05-22 10:06:21.296 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2023-05-22 10:06:21.318 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2023-05-22 10:06:21.325 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

stephenb · May 22, 2023, 1:38pm

Running out of ideas...take this out for one try see what you get.

I am not as familiar with Ubuntu 20.04.6 LTS as Windows 11 WSL perhaps there is something different.

Apologies @Badger sorry to bug you but running out of ideas.m I am sure I have missed something.. perhaps a quick look?

Rios · May 22, 2023, 3:04pm

You might try:

sincedb_path => "NUL"* # this settings is for Win platform
check /var/log/logstash/ is there sincedb or in <path.data>/plugins/inputs/file
set config.debug: true and log.level: debug in logstash.yml and restart LS
add debug in stdout:

  stdout {
    codec => rubydebug
  }

Rios · May 22, 2023, 3:16pm

Two more suggetions, try with additionally sincedb_clean_after :

file {
   path => ["/mnt/c/databalanceInfo_0.log"]
   start_position => "beginning"
   sincedb_path => "/dev/null"
   sincedb_clean_after => "60 s"
 }

Can you put you log in some other directory home, opt? Just for test.

Badger · May 22, 2023, 6:07pm

@Yasser_Alsawy I would suggest enabling TRACE level logging. The filewatch library that the file input uses will then log when it finds the file and whether it sees any unread data in it.

In theory using /dev/null on WSL was fixed to work properly back in 2016 (as you might expect, a non-working /dev/null broke a lot of things), but if the trace logs indicate it has already read the file then try changing the sincedb_path.

Yasser_Alsawy · May 23, 2023, 6:55am

@Rios no recent files at /var/log/logstash no recent files. why not writing there?

yasser@Yasser-Dell:/var/log/logstash$ ll
total 48
drwxr-xr-x  2 logstash root     4096 May 19 11:09 ./
drwxrwxr-x 13 root     syslog   4096 May 15 12:24 ../
-rw-r--r--  1 logstash logstash  604 Apr 16 11:36 logstash-deprecation-2023-04-11-1.log.gz
-rw-r--r--  1 logstash logstash  302 Apr 17 14:58 logstash-deprecation-2023-04-16-1.log.gz
-rw-r--r--  1 logstash logstash  537 Apr 24 13:51 logstash-deprecation-2023-04-17-1.log.gz
-rw-r--r--  1 logstash logstash 3006 Apr 24 13:51 logstash-deprecation.log
-rw-rw-r--  1 logstash logstash    0 Apr 11 12:46 logstash-json.log
-rw-r--r--  1 logstash logstash 1670 Apr 16 11:36 logstash-plain-2023-04-11-1.log.gz
-rw-r--r--  1 logstash logstash 1416 Apr 17 14:58 logstash-plain-2023-04-16-1.log.gz
-rw-r--r--  1 logstash logstash 4730 Apr 24 13:51 logstash-plain-2023-04-17-1.log.gz
-rw-r--r--  1 logstash logstash 1549 May 19 11:09 logstash-plain-2023-04-24-1.log.gz
-rw-r--r--  1 logstash logstash 2505 May 19 11:09 logstash-plain.log
-rw-rw-r--  1 logstash logstash    0 Apr 11 12:46 logstash-slowlog-json.log
-rw-rw-r--  1 logstash logstash    0 Apr 11 12:46 logstash-slowlog-plain.log

The only 3 lines at /etc/logstash/logstash.yml not started with # are:

log.level: debug
path.logs: /var/log/logstash
config.debug: true

here is my new /etc/logstash/conf.d/logstash.conf (I already changed before the log file to be very local at /home)

input
{
  file
  {
    path => "/home/yasser/balance_inquiry.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    sincedb_clean_after => "60 s"
  }
}

output
{
  elasticsearch
  {
    hosts => "localhost:9200"
    index => "balance-inquiry"
  }
  stdout
  {
    codec => rubydebug
  }
}

and here is file permission:
-rw-r--r-- 1 yasser yasser 283 May 23 09:46 logstash.conf

I tried to run again and staying again at pipeline running line:

yasser@Yasser-Dell:/usr/share/logstash/bin$ ./logstash -f /etc/logstash/conf.d/logstash.conf -r
Using JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64
WARNING: Using JAVA_HOME while Logstash distribution comes with a bundled JDK.
DEPRECATION: The use of JAVA_HOME is now deprecated and will be removed starting from 8.0. Please configure LS_JAVA_HOME instead.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2023-05-23 09:53:46.031 [main] runner - The use of JAVA_HOME has been deprecated. Logstash 8.0 and later ignores JAVA_HOME and uses the bundled JDK. Running Logstash with the bundled JDK is recommended. The bundled JDK has been verified to work with each specific version of Logstash, and generally provides best performance and reliability. If you have compelling reasons for using your own JDK (organizational-specific compliance requirements, for example), you can configure LS_JAVA_HOME to use that version instead.
[INFO ] 2023-05-23 09:53:46.033 [main] runner - Starting Logstash {"logstash.version"=>"7.17.10", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 17.0.6+10-Ubuntu-0ubuntu120.04.1 on 17.0.6+10-Ubuntu-0ubuntu120.04.1 +indy +jit [linux-x86_64]"}
[INFO ] 2023-05-23 09:53:46.034 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED]
[WARN ] 2023-05-23 09:53:46.158 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2023-05-23 09:53:46.684 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2023-05-23 09:53:46.974 [Converge PipelineAction::Create<main>] Reflections - Reflections took 43 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2023-05-23 09:53:47.166 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-23 09:53:47.186 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-23 09:53:47.206 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2023-05-23 09:53:47.220 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2023-05-23 09:53:47.294 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[INFO ] 2023-05-23 09:53:47.424 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2023-05-23 09:53:47.566 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2023-05-23 09:53:47.575 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (8.7.1) {:es_version=>8}
[WARN ] 2023-05-23 09:53:47.576 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[INFO ] 2023-05-23 09:53:47.603 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-23 09:53:47.604 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2023-05-23 09:53:47.636 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[INFO ] 2023-05-23 09:53:47.651 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x388a1cca run>"}
[INFO ] 2023-05-23 09:53:48.071 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.42}
[INFO ] 2023-05-23 09:53:48.104 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2023-05-23 09:53:48.131 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2023-05-23 09:53:48.146 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

and no new log files are created:
yasser@Yasser-Dell:/var/log/logstash$ ll
total 48
drwxr-xr-x 2 logstash root 4096 May 19 11:09 ./
drwxrwxr-x 13 root syslog 4096 May 15 12:24 ../
-rw-r--r-- 1 logstash logstash 604 Apr 16 11:36 logstash-deprecation-2023-04-11-1.log.gz
-rw-r--r-- 1 logstash logstash 302 Apr 17 14:58 logstash-deprecation-2023-04-16-1.log.gz
-rw-r--r-- 1 logstash logstash 537 Apr 24 13:51 logstash-deprecation-2023-04-17-1.log.gz
-rw-r--r-- 1 logstash logstash 3006 Apr 24 13:51 logstash-deprecation.log
-rw-rw-r-- 1 logstash logstash 0 Apr 11 12:46 logstash-json.log
-rw-r--r-- 1 logstash logstash 1670 Apr 16 11:36 logstash-plain-2023-04-11-1.log.gz
-rw-r--r-- 1 logstash logstash 1416 Apr 17 14:58 logstash-plain-2023-04-16-1.log.gz
-rw-r--r-- 1 logstash logstash 4730 Apr 24 13:51 logstash-plain-2023-04-17-1.log.gz
-rw-r--r-- 1 logstash logstash 1549 May 19 11:09 logstash-plain-2023-04-24-1.log.gz
-rw-r--r-- 1 logstash logstash 2505 May 19 11:09 logstash-plain.log
-rw-rw-r-- 1 logstash logstash 0 Apr 11 12:46 logstash-slowlog-json.log
-rw-rw-r-- 1 logstash logstash 0 Apr 11 12:46 logstash-slowlog-plain.log

system · May 23, 2023, 6:55am

logstash 1670 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

Yasser_Alsawy · May 23, 2023, 6:58am

@Badger
regarding to "enabling TRACE level logging", I already added config.debug: true and log.level: debug at /etc/logstash/logstash.yml as @Rios suggested but still not getting any new file created at /var/log/logstash even the path is defined at same file as path.logs: /var/log/logstash

Yasser_Alsawy · May 23, 2023, 7:06am

@Rios
regarding to "<path.data>/plugins/inputs/file", I cannot find any plugins folder under /usr/share/logstash/bin
However, I can find many plugins already installed:

yasser@Yasser-Dell:/usr/share/logstash/bin$ ./logstash-plugin list
Using JAVA_HOME defined java: /usr/lib/jvm/java-17-openjdk-amd64
WARNING: Using JAVA_HOME while Logstash distribution comes with a bundled JDK.
DEPRECATION: The use of JAVA_HOME is now deprecated and will be removed starting from 8.0. Please configure LS_JAVA_HOME instead.
logstash-codec-avro
logstash-codec-cef
logstash-codec-collectd
logstash-codec-dots
logstash-codec-edn
logstash-codec-edn_lines
logstash-codec-es_bulk
logstash-codec-fluent
logstash-codec-graphite
logstash-codec-json
logstash-codec-json_lines
logstash-codec-line
logstash-codec-msgpack
logstash-codec-multiline
logstash-codec-netflow
logstash-codec-plain
logstash-codec-rubydebug
logstash-filter-aggregate
logstash-filter-anonymize
logstash-filter-cidr
logstash-filter-clone
logstash-filter-csv
logstash-filter-date
logstash-filter-de_dot
logstash-filter-dissect
logstash-filter-dns
logstash-filter-drop
logstash-filter-elasticsearch
logstash-filter-fingerprint
logstash-filter-geoip
logstash-filter-grok
logstash-filter-http
logstash-filter-json
logstash-filter-kv
logstash-filter-memcached
logstash-filter-metrics
logstash-filter-mutate
logstash-filter-prune
logstash-filter-ruby
logstash-filter-sleep
logstash-filter-split
logstash-filter-syslog_pri
logstash-filter-throttle
logstash-filter-translate
logstash-filter-truncate
logstash-filter-urldecode
logstash-filter-useragent
logstash-filter-uuid
logstash-filter-xml
logstash-input-azure_event_hubs
logstash-input-beats
└── logstash-input-elastic_agent (alias)
logstash-input-couchdb_changes
logstash-input-dead_letter_queue
logstash-input-elasticsearch
logstash-input-exec
logstash-input-file
logstash-input-ganglia
logstash-input-gelf
logstash-input-generator
logstash-input-graphite
logstash-input-heartbeat
logstash-input-http
logstash-input-http_poller
logstash-input-imap
logstash-input-jms
logstash-input-pipe
logstash-input-redis
logstash-input-s3
logstash-input-snmp
logstash-input-snmptrap
logstash-input-sqs
logstash-input-stdin
logstash-input-syslog
logstash-input-tcp
logstash-input-twitter
logstash-input-udp
logstash-input-unix
logstash-integration-elastic_enterprise_search
 ├── logstash-output-elastic_app_search
 └──  logstash-output-elastic_workplace_search
logstash-integration-jdbc
 ├── logstash-input-jdbc
 ├── logstash-filter-jdbc_streaming
 └── logstash-filter-jdbc_static
logstash-integration-kafka
 ├── logstash-input-kafka
 └── logstash-output-kafka
logstash-integration-rabbitmq
 ├── logstash-input-rabbitmq
 └── logstash-output-rabbitmq
logstash-output-cloudwatch
logstash-output-csv
logstash-output-elasticsearch
logstash-output-email
logstash-output-file
logstash-output-graphite
logstash-output-http
logstash-output-lumberjack
logstash-output-nagios
logstash-output-null
logstash-output-pipe
logstash-output-redis
logstash-output-s3
logstash-output-sns
logstash-output-sqs
logstash-output-stdout
logstash-output-tcp
logstash-output-udp
logstash-output-webhdfs
logstash-patterns-core

Rios · May 23, 2023, 8:29am

@Yasser_Alsawy you haven't set debug or trace,
config.debug: true and log.level: trace in /etc/logstash/logstash.yml

You should have DEBUG records like this:

[2022-02-05T10:25:11,928][DEBUG][logstash.agent           ] Converging pipelines state {:actions_count=>0}
[2022-02-05T10:25:11,944][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}

Rios · May 23, 2023, 9:13am

And why are you mixing two versions?

Yasser_Alsawy · May 23, 2023, 12:12pm

yasser@Yasser-Dell:/etc/logstash$ cat logstash.yml
path.data: /var/lib/logstash
config.debug: true
log.level: debug
path.logs: /var/log/logstash

yasser@Yasser-Dell:/etc/logstash$ ls -ltr logstash.yml
-rwxrwxrwx 1 root root 12837 May 23 09:43 logstash.yml

any problem at file name, location or permission if it is not loaded properly?
when running I use -f for conf file name not for yml file. should I explicitly mention yml file somewhere?