Prevent Logstash logging to /var/log/messages

pavuk · October 26, 2017, 8:40am

Hi,

Could you please guide me how to prevent Logstash logging to /var/log/messages?

Thanks.

lueneburger · October 26, 2017, 8:47am

Hi @pavuk

that can be changed in the logstash.yml file

/etc/logstash/logstash.yml

at the bottom

# ------------ Debugging Settings --------------
#
# Options for log.level:
#   * fatal
#   * error
#   * warn
#   * info (default)
#   * debug
#   * trace
#
# log.level: info
path.logs: /var/log/logstash
#

hope that helps

pavuk · October 26, 2017, 8:52am

@lueneburger Thank you. But I have exactly the same lines at the bottom of logstash.yml file. And with

tail -f /var/log/messages

I see endless records like

.......
Oct 26 08:48:07 talk logstash: ],
Oct 26 08:48:07 talk logstash: "@timestamp" => 2017-10-26T08:48:07.000Z,
Oct 26 08:48:07 talk logstash: "build" => "",
Oct 26 08:48:07 talk logstash: "response" => 200,
Oct 26 08:48:07 talk logstash: "bytes" => 70084,
Oct 26 08:48:07 talk logstash: "name" => "Chrome",
Oct 26 08:48:07 talk logstash: "os_name" => "Windows 7",
Oct 26 08:48:07 talk logstash: "httpversion" => [
Oct 26 08:48:07 talk logstash: [0] "1.0",
Oct 26 08:48:07 talk logstash: [1] "1.0"
Oct 26 08:48:07 talk logstash: ],
Oct 26 08:48:07 talk logstash: "device" => "Other"
Oct 26 08:48:07 talk logstash: }
Oct 26 08:48:07 talk logstash: {
Oct 26 08:48:07 talk logstash: "request" => [
.........

My /var/log/messages is really huge!

lueneburger · October 26, 2017, 9:00am

Hi @pavuk,

looks like you got a stdout in your logstash output section?

something like that:

stdout { codec => rubydebug }

pavuk · October 26, 2017, 9:01am

Yes, I have it in output. What should I do with it?

lueneburger · October 26, 2017, 9:03am

disable it and see if the log stops growing

pavuk · October 26, 2017, 9:09am

Still no luck. Now I have

output {
 elasticsearch {
   hosts => ["http://xxxxx.com:9200/"]
   index => "logstash-logs_%{+YYYY.MM.dd}"
   document_type => "nginx_logs"
 }
# stdout { codec => rubydebug }
}

restarted logstash sevice and still see logstash output in /var/log/messages

lueneburger · October 26, 2017, 9:26am

Hi @pavuk,

ah ok, im using ubuntu and it's disabled by default.

just take a look for filter/disable the audit logs

etc/rsyslog.d/50-default.conf

#*.=info;*.=notice;*.=warn;\
#       auth,authpriv.none;\
#       cron,daemon.none;\
#       mail,news.none          -/var/log/messages

pavuk · October 26, 2017, 9:32am

Hmmm... I'm on CentOS7 and I have line

*.info;mail.none;authpriv.none;cron.none /var/log/messages

in /etc/rsyslog.conf
But it is server-wide setting. But I'd like to disable only logstash logging to /var/log/messages

system · November 23, 2017, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.