sharbich
February 27, 2024, 5:21pm
1
Hello,
routes:
- multiline+logstash+tcp://logstash.intern.example.com:50000
env:
- name: SYSLOG_HOSTNAME
value: homeassistant
- name: INACTIVITY_TIMEOUT
value: 1m
- name: MULTILINE_PATTERN
value: >-
(\d\d(\d\d)?[-/]\d\d[-/]\d\d[T
]\d\d:\d\d:\d\d)|(^s6-rc:)|(^\[\d\d:\d\d:\d\d\])|(\d\d:\d\d:\d\d\
-)|(^[TDIWEF]:)
- name: MULTILINE_MATCH
value: first
- name: INCLUDE_CONTAINERS
value: homeassistant
- name: LOGSTASH_FIELDS
value: source=hame01
Here the logstash config:
root@dsme01:~# cat /etc/logstash/conf.d/syslog/syslog_hame01.conf
input {
tcp {
host => "logstash.intern.example.com"
port => 50000
codec => json
}
}
## Add your filters / logstash plugins configuration here
filter {
if ([source] == "my-home-assistant") {
if ([docker][name] == "/homeassistant") {
grok {
patterns_dir => ["/usr/share/logstash/pipeline/patterns"]
match => { "message" => "%{LOGLEVEL:log_level}%{SPACE}\(%{GREEDYDATA:log_thread}\)%{SPACE}\[%{LOGGER_NAME:log_name}\]%{SPACE}%{GREEDYDATA:log_message}" }
}
mutate {
gsub => [ "log_message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|M|K]", "" ]
}
if [log_message] =~ /\n/ {
mutate {
copy => { "log_message" => "log_trace" }
}
mutate {
gsub => [ "log_message", "(?m)^([^\n]*)$.*", "\1" ]
}
}
} else {
drop { }
}
}
}
output {
elasticsearch {
hosts => "elasticsearch.intern.example.com:9200"
user => "elastic"
password => "elastic"
ssl => true
cacert => "/etc/logstash/config/certs/HarbichCA.crt"
index => "syslog_hame01-%{+YYYY.MM.dd}"
}
}
I see the Information in Kibana.
Rios
February 27, 2024, 8:22pm
2
Well, it's easier to search in Kibana-Discovery
In order to see what LS will send to ES, you can add in the output:file { path => "/path/syslog_%{+YYYY-MM-dd}.txt" " }
sharbich
February 27, 2024, 10:07pm
3
Hello,
file {
path => "/var/log/homeassistant/syslog_hame01.log"
}
and the error in the log:
[2024-02-27T23:00:40,970][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:hame01, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 42, column 10 (byte 1127) after output {\n elasticsearch {\n hosts => \"elasticsearch.intern.example.com:9200\"\n user => \"elastic\"\n password => \"elastic\"\n ssl => true\n cacert => \"/etc/logstash/config/certs/HarbichCA.crt\"\n index => \"syslog_hame01-%{+YYYY.MM.dd}\"\n file ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}
Where is the mistake?
Greetings from Stefan Harbich
Rios
February 27, 2024, 10:23pm
4
at line 42, column 10 <-- You have an issue here.
output {
elasticsearch {
hosts => "elasticsearch.intern.example.com:9200"
user => "elastic"
password => "pass"
ssl => true
cacert => "/etc/logstash/config/certs/HarbichCA.crt"
index => "syslog_hame01-%{+YYYY.MM.dd}"
}
file { path => "/var/log/homeassistant/syslog_hame01.log" }
}
sharbich
February 28, 2024, 10:08am
5
It just doesn't work. I checked the permissions. From my point of view everything is fine. I even set the permission to 777. The following users are authorized to write to the directory (elasticsearch, logstash or root). I created the file. Nothing helps. it just doesn't work. no log file is written. Do I have to install a plugin so that the file can be created? What else can I do?
Rios
February 28, 2024, 10:37am
6
No, you don't have to install file plugin, it's already included in LS installation.
Error: "line 42, column 10" means your .conf file is not OK, most likely brackets are no closed.
Again, if you run LS as servicectl, your user is "logstash:logstash" and you should change the ownership. If you ran as a process from the command line, then that user needs write permissions.
Basically, "file { path ..." will write the same data which goes to ES to local disk.
sharbich
February 28, 2024, 11:48am
7
Rios:
No, you don't have to install file plugin, it's already included in LS installation.
Error: "line 42, column 10" means your .conf file is not OK, most likely brackets are no closed.
Again, if you run LS as servicectl, your user is "logstash:logstash" and you should change the ownership. If you ran as a process from the command line, then that user needs write permissions.
Basically, "file { path ..." will write the same data which goes to ES to local disk.
I've tried everything. Permissions checked. Tried all variants. No file is created under "/var/log/homeassistant/". I just don't know why????
root@dsme01:~# cat /etc/logstash/conf.d/syslog/syslog_hame01.conf
input {
tcp {
host => "logstash.intern.example.com"
port => 50000
codec => json
}
}
## Add your filters / logstash plugins configuration here
filter {
if ([source] == "my-home-assistant") {
if ([docker][name] == "/homeassistant") {
grok {
patterns_dir => ["/usr/share/logstash/pipeline/patterns"]
match => { "message" => "%{LOGLEVEL:log_level}%{SPACE}\(%{GREEDYDATA:log_thread}\)%{SPACE}\[%{LOGGER_NAME:log_name}\]%{SPACE}%{GREEDYDATA:log_message}" }
}
mutate {
gsub => [ "log_message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|M|K]", "" ]
}
if [log_message] =~ /\n/ {
mutate {
copy => { "log_message" => "log_trace" }
}
mutate {
gsub => [ "log_message", "(?m)^([^\n]*)$.*", "\1" ]
}
}
} else {
drop { }
}
}
}
output {
elasticsearch {
hosts => "elasticsearch.intern.example.com:9200"
user => "elastic"
password => "elastic"
ssl => true
cacert => "/etc/logstash/config/certs/HarbichCA.crt"
index => "syslog_hame01-%{+YYYY.MM.dd}"
}
file { path => "/var/log/homeassistant/syslog_hame01.log" }
}
Badger
February 28, 2024, 6:02pm
8
What error message do you get after you changed the .conf file?
sharbich
February 28, 2024, 8:16pm
9
Hello,
