Rubydebug is not displayed

sam281 · September 25, 2017, 6:54pm

Hello,

I am running logstash on a windows server and have enabled Rubydebug to see how the data is being processed, but I don't see anything being logged on to console or in the rubydebug file. I have tried both the options stdout and file as mentioned below without any luck.

Any thoughts are appreciated on fixing this. Thanks in Advance.

output {

Uncomment out below file output if users wish to view

event data in a debug file. Specify the path for the file.

stdout{
codec => rubydebug
}
#file {

codec => rubydebug

path => "C:\logstash2.2.1\log\ruby-debug.log"

}

Sam

theuntergeek · September 25, 2017, 7:07pm

rubydebug only works on stdout. It does not work with the file output.

As for why you're not seeing it at the command-line, how is it being launched?

sam281 · September 25, 2017, 7:14pm

I am running the logstash from command prompt below is the command I am using.

logstash agent --verbose -f C:\logstash2.2.1\logstash\plugins\logstash\config\logstash-scala_rubydebug.conf -l C:\logstash2.2.1\log\console.log

theuntergeek · September 25, 2017, 7:40pm

For stdout to work with the rubydebug codec, remove the -l C:\logstash2.2.1\log\console.log portion. It needs to log to the console.

sam281 · September 25, 2017, 8:33pm

Yes, I have tried that already, I see only the Regex patterns being logged in the console.

Below is an excerpt of the output on the conosole.

C:\logstash2.2.1\bin>logstash agent --verbose -f C:\logstash2.2.1\logstash\plugins\logstash\config\logstash-scala_rubydebug.conf
io/console not supported; tty will not be manipulated
Settings: Default pipeline workers: 1
e[32mRegistering file input {:path=>["C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx"], :level=>:info}e[0m
e[32mNo sincedb_path set, generating one based on the file path {:sincedb_path=>"C:\Users\itmuser/.sincedb_d1c5aedc0be3c7fc50ce39bb2e81ca62", :path=>["C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx"], :level=>:info}e[0m
e[32mGrok patterns path {:patterns_dir=>["C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns", "C:/logstash2.2.1/patterns/"], :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/aws", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bacula", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bro", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/exim", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/firewalls", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/grok-patterns", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/haproxy", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/java", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/junos", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/linux-syslog", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective-patterns", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mongodb", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/nagios", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/postgresql", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/rails", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/redis", :level=>:info}e[0m
e[32mGrok loading patterns from file {:path=>"C:/logstash2.2.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/ruby", :level=>:info}e[0m
e[32mMatch data {:match=>{"TimeGenerated"=>"%{DATA:TIMEGEN_DATE} %{DATA:TIMEGEN_TIME} %{ISO8601_TIMEZONE:TZ}", "message"=>[]}, :level=>:info}e[0m
e[32mGrok compile {:field=>"TimeGenerated", :patterns=>["%{DATA:TIMEGEN_DATE} %{DATA:TIMEGEN_TIME} %{ISO8601_TIMEZONE:TZ}"], :level=>:info}e[0m
e[32mAdding pattern {"S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}e[0m
e[32mAdding pattern {"S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \[%{HTTPDATE:timestamp}\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:"%{S3_REQUEST_LINE}"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:"?%{QS:agent}"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info}e[0m
e[32mAdding pattern {"ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info}e[0m
e[32mAdding pattern {"ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@])?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info}e[0m
e[32mAdding pattern {"ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}e[0m
e[32mAdding pattern {"ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} "%{ELB_REQUEST_LINE}"", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_VOLUME"=>"%{USER}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_DEVICE"=>"%{USER}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_VERSION"=>"%{USER}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_JOB"=>"%{USER}", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \"%{BACULA_DEVICE:device}\" \(%{BACULA_DEVICEPATH}\)", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_LOG_END_VOLUME"=>"End of medium on Volume \"%{BACULA_VOLUME:volume}\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_LOG_NEW_VOLUME"=>"Created new Volume \"%{BACULA_VOLUME:volume}\" in catalog.", :level=>:info}e[0m
e[32mAdding pattern {"BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \"%{BACULA_VOLUME:volume}\" on device \"%{BACULA_DEVICE:device}\" \(%{BACULA_DEVICEPATH}\).", :level=>:info}e[0m

theuntergeek · September 25, 2017, 8:35pm

You shouldn't need to add agent, and remove --verbose for this test.

sam281 · September 25, 2017, 8:40pm

I still don't see anything being logged on the console. Below is the ouput.

C:\logstash2.2.1\bin>logstash -f C:\logstash2.2.1\logstash\plugins\logstash\config\logstash-scala_rubydebug.conf
io/console not supported; tty will not be manipulated
Settings: Default pipeline workers: 1
Logstash startup completed

theuntergeek · September 25, 2017, 9:37pm

I am AFK at the moment. There was something about how Windows launched java that did this, but I don't remember off hand. Is there a reason you're not using a more recent version? Like 5.6.1?

sam281 · September 25, 2017, 10:35pm

I am using logstash with an IBM log management product, so I had to use the custom output plugin which is developed for the product. I had to go with officially supported logstash which is 2.2.1 and not sure about support of the latest version of Logstash with the plugin.

Do you have any thoughts regarding using filebeats or winlogbeat with custom plugins to divert the output to a different tool?

sam281 · September 27, 2017, 4:39pm

Hi,

As you suggested I am trying to use logstash 5.6.2. now I see a different issue that its unable to locate jruby.

C:\logstash-5.6.2\bin>logstash.bat --configtest -f C:\logstash2.2.1\logstash\plugins\logstash\config\logstash-scala_rubydebug.conf
"could not find jruby in C:\logstash-5.6.2\vendor\jruby"

Do we have to set any environment variables to point Jruby which is coming with Logstash? Any help is appreciated.

Thanks.

theuntergeek · September 27, 2017, 6:58pm

Have you tried running setup.bat in the same directory? Is JAVA_HOME properly set?

sam281 · September 27, 2017, 7:05pm

Yes, I just tried setup.bat which is again complaining about jruby.

C:\logstash-5.6.2\bin>setup.bat
"could not find jruby in C:\logstash-5.6.2\vendor\jruby"

Below if the JAVA_HOME path.

C:\logstash-5.6.2\bin>echo %JAVA_HOME%
C:\logstash2.2.1\eclipseDevelopmentPackage\ibm_sdk80

theuntergeek · September 27, 2017, 7:23pm

That JVM is not a supported one. I'm sorry this is not straightforward. I'm not sure what to say at this point. It seems that a very custom installation was created to support the IBM JDK, and your specific plugin. Perhaps the people who created it know more?

system · October 25, 2017, 7:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where can I find rubydebug output Logstash	4	26080	August 26, 2017
Rubydebug codec not working Logstash	5	1443	July 6, 2017
Logstash Logging setting to output rubydebug info for running service Logstash	12	3721	December 3, 2021
Stdout rubydebug not outputting to file Logstash	12	821	November 6, 2020
Where is logstash.stdout for v5.2? Logstash	3	988	April 6, 2017

Rubydebug is not displayed

Uncomment out below file output if users wish to view

event data in a debug file. Specify the path for the file.

codec => rubydebug

path => "C:\logstash2.2.1\log\ruby-debug.log"

}

Related Topics