Running logstash in docker container - but apache logs don't get indexed

linuxdev · November 11, 2016, 8:40pm

Hi. Im running logstash in docker container - but apache logs don't get indexed

Here's how I launch logstash in docker:

docker run -d \
    -v /srv/logstash/config:/config-dir \
    -v /var/log/:/var/log \
    --name logstash \
    logstash logstash -f /config-dir/mw.conf

Here's my config file:

input {
  file {
    type => "apache-access"
    path => "/var/log/apache2/mwol_v3-access.log"
    start_position => "beginning" 
  }
}
filter {
  if [path] =~ "access" {
    mutate { replace => { "type" => "apache_access" } }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}
output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["example.com:2108"]
  }
}

magnusbaeck · November 12, 2016, 6:16pm

If the input file is older than 24 hours you may have to adjust the file input's ignore_older option. Otherwise, bump Logstash's log level and inspect its logs. Look for entries containing "mwol_v3-access.log".

system · December 10, 2016, 6:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.