Hello
I tried to create a ruby's filter to permit logging messaage only when I have mounted a partition. This is the conf file:
filter {
ruby {
code => 'if File.readlines("/proc/mounts").any?{ |line| line.split(' ')[0] != "/dev/drbd0" }
logger.info("drbd is not mounted. I drop every event")
event.cancel
end'
}
}
output {
if "wm" in [tags] {
file {
codec => line { format => "%{message}" }
path => "/drbd/web-logs/wm.log"
}
}
if "wm_pf" in [tags] {
file {
codec => line { format => "%{message}" }
path => "/drbd/promo-logs/wm_pf.log"
}
}
}
This is the log:
[2019-09-18T11:06:50,489][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-09-18T11:06:55,367][INFO ][logstash.runner ] Logstash shut down.
[2019-09-18T11:07:18,494][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.3.0"}
[2019-09-18T11:07:20,100][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 14, column 2 (byte 279) after filter {\n\truby {\n\t\tcode => 'if File.readlines("\/proc\/mounts").any?{ |line| line.split(' ')[0] != "\/dev\/drbd0" }\n\t\t\t\tlogger.info("drbd is not mounted. I drop every event")\n\t\t\t\tevent.cancel\n\t\t\tend'\n\t", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:ininitialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:24:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:inblock in converge_state'"]}
[2019-09-18T11:07:20,434][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
If I test from command line:
bin/logstash --path.settings="/etc/logstash/" -e "filter { ruby { code => ' if File.readlines("/proc/mounts").any?{ |line| line.split(' ')[0] != "/dev/drbd0" } event.cancel end' } }" -t
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.headius.backport9.modules.Modules (file:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.2.7.0.jar) to field java.io.FileDescriptor.fd
WARNING: Please consider reporting this to the maintainers of com.headius.backport9.modules.Modules
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2019-09-18T11:10:12,516][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-09-18T11:10:13,106][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of #, => at line 3, column 126 (byte 201) after filter { ruby { code => ' if File.readlines(/proc/mounts).any?{ |line| line.split(' ')[0] != /dev/drbd0 } event.cancel end'
[2019-09-18T11:10:13,122][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
Please, can I help me?
Thank you