Why i'm getting the different data while starting my Logstash as systemctl stat logstash.service and /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/ --config.reload.automatic &.
I i start the Service as service in Linux 7 then it starts and i see all the data feild for syslog while i start the Logstash with later ober with full path /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/ --config.reload.automatic & then it do not show all the fields.
I'm not getting any errors in log file ..
My Logstash file:
Logstash version 6.5.4:
# cat /etc/logstash/conf.d/syslog.conf
input {
file {
path => [ "/data/SYSTEMS/*/messages.log" ]
start_position => beginning
sincedb_path => "/dev/null"
max_open_files => 64000
type => "sj-syslog"
}
}
filter {
if [type] == "sj-syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp } %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
remove_field => ["@version", "host", "path"]
remove_tag => ["_grokparsefailure"]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if [type] == "sj-syslog" {
elasticsearch {
hosts => "hostdc02:9200"
manage_template => false
index => "sj-syslog-%{+YYYY.MM.dd}"
document_type => "messages"
}
}
}
I see only:
While remove check from hide missing then i see what are other fields missing..
When i stop the full path and then starting the logstash with service mode then all fields are back , Is there anything bad with my configuration..