Service logstash start, but cannot detect and send logs

Jason_Zheng · July 28, 2015, 9:35am

Hi all,

service logstash start (start ok as following) cannot detect and send logs, but using /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstashmiki.conf works fine

$service logstash start
$ps aux | grep logstash
logstash 7302 140 1.1 5382352 375316 pts/1 SNl 17:14 0:33 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log

magnusbaeck · July 28, 2015, 9:36am

What's in the configuration file and in the Logstash logs?

Jason_Zheng · July 28, 2015, 9:41am

Hi Magnusbaeck,

there is only one file called logstashmiki.conf in /etc/logstash/conf.d, the content shown as following.

  1 input {
  2     file {
  3         type => "json"
  4         path => "/var/log/miki/*"
  5     }
  6 }
  7
  8 filter {
  9     if [type="json"] {
 10         json {
 11             source => "message"
 12         }
 13     }
 14 }
 15
 16 output {
 17     stdout { codec => rubydebug }
 18     redis {
 19         host => "redis"
 20         port => "6379"
 21         data_type => "list"
 22         key => "miki"
 23     }
 24 }

In logstash log (/var/log/logstash/logstash.log), the log is written by stopping logstash pipeline command (CTRL+C), no errors in logstash.err and logstash.stdout

  1
  2 {:timestamp=>"2015-07-28T16:28:51.388000+0800", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}
  3 {:timestamp=>"2015-07-28T16:31:36.145000+0800", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}

magnusbaeck · July 28, 2015, 12:18pm

Use a json codec or a json filter. Not both. In your case it doesn't matter because

if [type="json"] {

is a bogus syntax. This would've been correct:

if [type] == "json" {

Possible causes include:

The user that Logstash runs as (probably "logstash") doesn't have read permissions to /var/log/miki or the files in that directory.
New data isn't being added to the files, and you've configured Logstash to tail files instead of reading them from the beginning.

Increasing the loglevel by starting Logstash with --verbose or even --debug could provide additional clues.

Jason_Zheng · July 29, 2015, 2:40am

Hi Magnus Bäck,

I correct my syntax in logstashmiki.conf as you said ([type]=="json"), and then it works fine, thanks!

Jason