Removing Logstash logs from syslog

sud0 · October 7, 2019, 1:29am

Hi.

My logstash is sending logs to /var/log/syslog, which is causing the disk to fill up pretty quick.
How can I disable it?

My logstash.yml:

log.level: info
path.logs: /var/log/logstash

syslog:

root@elk:/etc/logstash# tail -n 10 /var/log/syslog
Oct  7 14:28:39 elk logstash[7097]:     "environment" => "production",
Oct  7 14:28:39 elk logstash[7097]:           "class" => "TransactionDocumentPersisterImpl.message",
Oct  7 14:28:39 elk logstash[7097]:         "message" => "Transaction coo2 b2f51909 Message cooLocalNewOwnerDetails 1897334591 | timestamp: 2019-10-07T14:28:38.082+13:00",
Oct  7 14:28:39 elk logstash[7097]:            "host" => "appserver.datacentre.example.co.nz",
Oct  7 14:28:39 elk logstash[7097]:        "@version" => "1",
Oct  7 14:28:39 elk logstash[7097]:       "log-level" => "INFO",
Oct  7 14:28:39 elk logstash[7097]:      "@timestamp" => 2019-10-07T01:28:38.083Z,
Oct  7 14:28:39 elk logstash[7097]:            "path" => "/mnt/example/app/industry/industry.log",
Oct  7 14:28:39 elk logstash[7097]:            "type" => "web_industry_log"
Oct  7 14:28:39 elk logstash[7097]: }

Badger · October 7, 2019, 1:13pm

I would guess that you are running logstash as a service and whatever service manager you are using is cc'ing stdout to /var/log/syslog. You can reconfigure that in the service manager.

sud0 · October 8, 2019, 10:05pm

Yes.. I thought that too.. but it is not the case.

Locate logstash.service:

root@elk:~# locate logstash.service
/etc/systemd/system/logstash.service
/etc/systemd/system/multi-user.target.wants/logstash.service

file /etc/systemd/system/logstash.service:

[Unit]
Description=logstash

[Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target

file /etc/systemd/system/multi-user.target.wants/logstash.service:

same as above

file /etc/default/logstash:

LS_HOME="/usr/share/logstash"
LS_SETTINGS_DIR="/etc/logstash"
LS_PIDFILE="/var/run/logstash.pid"
LS_USER="logstash"
LS_GROUP="logstash"
LS_GC_LOG_FILE="/var/log/logstash/gc.log"
LS_OPEN_FILES="16384"
LS_NICE="19"
SERVICE_NAME="logstash"
SERVICE_DESCRIPTION="logstash"

file /etc/sysconfig/logstash:

empty

sud0 · October 8, 2019, 10:24pm

This issue seems to be related.

Badger · October 8, 2019, 11:28pm

This issue and this issue are related.

sud0 · October 8, 2019, 11:35pm

The solution proposed here solved my problem.

system · November 5, 2019, 11:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prevent Logstash Service logging to /var/log/syslog Logstash	2	705	April 14, 2020
How to Disable logstash error logging in syslog Logstash	2	1134	December 14, 2019
Prevent Logstash Service logging to /var/log/messages Logstash	3	2860	June 20, 2019
Logsstash filling up /var/log/syslog? Logstash	5	1971	December 28, 2017
Prevent Logstash logging to /var/log/messages Logstash	9	9372	November 23, 2017

Removing Logstash logs from syslog

Related topics