Stdout cause syslog file to be to big

Honestabe · May 23, 2024, 10:48pm

sometime I have to use

stdout { codec => rubydebug { metadata => true } }

to do some troubleshooting on a pipeline.

I noticed that when I do the syslog file is taking up GB of storage.

is there a way to have it write to a separate file instead so that I can easy delete it when I am done with it?

Badger · May 23, 2024, 11:37pm

Instead of using a stdout output, use a file output

file { codec => rubydebug { metadata => true } path => "/path/to/log.log" }

If the output keeps the file open then deleting it will not free up disk space.

Rios · May 24, 2024, 9:30am

Just to add...

path => "/path/to/log.log"

Since you have the output files in GB, maybe is useful to use files on daily base.
path => "/path/to/log_%{+YYYY-MM-dd}.log"

Honestabe · May 24, 2024, 4:20pm

That helped a lot. Thanks ! Is there a way to name based on the pipeline and host it is coming from? Or have it auto generate sub folders based on them?

Badger · May 24, 2024, 5:10pm

You can reference any field on the event in the path option of the file output, although there are a couple of restrictions.

You could use a ruby filter to add the pipeline_id and hostname to the event. I would add them inside the [@metadata] field, which you can reference in the output using %{}, but they will not be sent to the destination with the rest of the fields on the event.

Something like

ruby {
    init => 'require "socket"'
    code => '
        # Or save in @class variable in init to avoid repeated call
        event.set("[@metadata][hostname]", Socket.gethostname)

        event.set("[@metadata][pipeline_id]", execution_context.pipeline.pipeline_id)"
    '
 }

...

file {
    path => "/TheFixedBit/%{[@metadata][hostname]/%{@metadata][pipeline_id]}-%{+YYYY-MM-dd}.log"
    ...

Honestabe · May 24, 2024, 9:47pm

will this give me the host name of the logstash server or the sever the beats agent is send data from?

Badger · May 24, 2024, 10:01pm

It would be the hostname of the logstash server. If you want the hostname of the beat then have the beat add host metadata to the event.

Honestabe · May 24, 2024, 10:34pm

I ended up using this

file { codec => rubydebug { metadata => true } path => "/logstash/logs/file_output/%{[@metadata][beat]}/%{[host.hostname]}.log" }

It worked but it returned {[host.hostname]}.log as the file name and not the actual host name

Honestabe · May 24, 2024, 10:38pm

file { codec => rubydebug { metadata => true } path => "/logstash/logs/file_output/%{[@metadata][beat]}/%{[host][hostname]}.log" }

This one worked.

Topic		Replies	Views
Logstash disable Stdout Logstash	5	1275	May 26, 2020
Logstash output going to syslog Logstash	6	396	September 29, 2018
Beginner issue - testing output to stdout Logstash	9	4572	July 6, 2017
Where can I find rubydebug output Logstash	4	26112	August 26, 2017
Logstash.stdout large size? Logstash	6	6649	July 6, 2017

Stdout cause syslog file to be to big

Related topics