Service logstash start, but cannot detect and send logs

Jason_Zheng · July 28, 2015, 9:35am

Hi all,

service logstash start (start ok as following) cannot detect and send logs, but using /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstashmiki.conf works fine

$service logstash start
$ps aux | grep logstash
logstash 7302 140 1.1 5382352 375316 pts/1 SNl 17:14 0:33 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstash/logstash.log

magnusbaeck · July 28, 2015, 9:36am

What's in the configuration file and in the Logstash logs?

Jason_Zheng · July 28, 2015, 9:41am

Hi Magnusbaeck,

there is only one file called logstashmiki.conf in /etc/logstash/conf.d, the content shown as following.

  1 input {
  2     file {
  3         type => "json"
  4         path => "/var/log/miki/*"
  5     }
  6 }
  7
  8 filter {
  9     if [type="json"] {
 10         json {
 11             source => "message"
 12         }
 13     }
 14 }
 15
 16 output {
 17     stdout { codec => rubydebug }
 18     redis {
 19         host => "redis"
 20         port => "6379"
 21         data_type => "list"
 22         key => "miki"
 23     }
 24 }

In logstash log (/var/log/logstash/logstash.log), the log is written by stopping logstash pipeline command (CTRL+C), no errors in logstash.err and logstash.stdout

  1
  2 {:timestamp=>"2015-07-28T16:28:51.388000+0800", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}
  3 {:timestamp=>"2015-07-28T16:31:36.145000+0800", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}

magnusbaeck · July 28, 2015, 12:18pm

Use a json codec or a json filter. Not both. In your case it doesn't matter because

if [type="json"] {

is a bogus syntax. This would've been correct:

if [type] == "json" {

Possible causes include:

The user that Logstash runs as (probably "logstash") doesn't have read permissions to /var/log/miki or the files in that directory.
New data isn't being added to the files, and you've configured Logstash to tail files instead of reading them from the beginning.

Increasing the loglevel by starting Logstash with --verbose or even --debug could provide additional clues.

Jason_Zheng · July 29, 2015, 2:40am

Hi Magnus Bäck,

I correct my syntax in logstashmiki.conf as you said ([type]=="json"), and then it works fine, thanks!

Jason

Topic		Replies	Views
Logstash service started but not working, command line is working Logstash	5	696	July 6, 2017
Logstash service started but not working, command line is working perfectly Logstash	2	2139	July 6, 2017
Logstash not starting Logstash	7	443	October 4, 2022
Logstash 5.2 service doesn't start Logstash	3	533	May 9, 2017
Logstash service fails to start due to Ruby Error Logstash	3	775	April 26, 2022

Service logstash start, but cannot detect and send logs

Related topics