Stdout rubydebug not outputting to file


I have got an nginx output with the stdout configured at the bottom as:

output {
 if [service] == "nginx" and "_grokparsefailure" in [tags] {
   elasticsearch {
      user => "user"
      password => "password"
      hosts => [ "https://elasticsearch_host:9200"]
      cacert => '/etc/logstash/certs/ca.crt'
      index => "logstash-nginx-%{+xxxx.ww}"
      ssl => true
      ssl_certificate_verification => false
   file {
     path => "/home/user/nginx.log"
     codec => rubydebug

When i restart the logstash service, I dont see any file output specified. Any ideas? Thanks.


Just tested your configuration and looks like it working, have you checked the permissions ?

What says the log output of logstash ?

Hi @grumo35,

Thank you. Logstash logs seems good with no errors that I can see of. Logs seems to be ingesting as normal.

I am using root user so wouldn't think there would be any permission issues trying to write to directory path /home/user

Is there any
"{" "}"
Missing in your configuration file ? Looks like the if and output are overlapping.

Hi @grumo35

I think the configuration file looks okay to me unless I have missed something else?

Maybe I will change the folder path to /var/log/logstash as thats where the logstash logs are written to see if it is a permission problem but using root user makes me thing it should not be a porblem where I specify the file path

Hmm seems like that didnt work for me :frowning:

Anymore help from anyone please on this issue?

What's the log output if you set logstash level to debug ?

Hi @grumo35,

Yeah i set log.level to debug and still cant see any obvious issues within logs.

Nothing mentioned about stdout rubydebug.

Curious though, I have my conf files separately as input , filter and output.conf. and restarting logstash service rather than doing as:

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/output.conf

Does that stop stdout from happening? But then I would have seen something in logs to mention this?

It would help a lot if you could post the part of the log just after a restart so we can see what all is loading when logstash starts. Sometimes these kinds of errors do not present themselves directly so it takes looking at the startup logs to figure out what is going on.


Hi @murlin99,

This is what I got from my logs. Please note that I removed the hostname and username and replaced them with xxxxxxxx for security reasons.

[2020-10-08T16:30:03,357][INFO ][logstash.pipeline] Starting pipeline {:pipeline_id=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>50}
[2020-10-08T16:30:03,370][WARN ][logstash.outputs.elasticsearch] ** WARNING ** Detected UNSAFE options in elasticsearch output configuration!
** WARNING ** You have enabled encryption but DISABLED certificate verification.
** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true
[2020-10-08T16:30:03,433][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://xxxxxxxxx:xxxxxx@xxxxxxxxx:9200/]}}
[2020-10-08T16:30:03,533][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://xxxxxxxxx:xxxxxx@xxxxxxxxx:9200/"}
[2020-10-08T16:30:03,556][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2020-10-08T16:30:03,556][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2020-10-08T16:30:03,602][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://xxxxxxxxxxxxx:9200"]}
[2020-10-08T16:30:06,633][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x2949bfcb run>"}
[2020-10-08T16:30:06,652][INFO ][logstash.agent           ] Pipelines running {:count=>2, :running_pipelines=>[:main, :".monitoring-logstash"], :non_running_pipelines=>[]}
[2020-10-08T16:30:29,528][ERROR][logstash.inputs.metrics  ] Failed to create monitoring event {:message=>"For path: http_address. Map keys: [:os, :jvm, :stats]", :error=>"LogStash::Instrument::MetricStore::MetricNotFound"}
[2020-10-08T16:30:55,994][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

These logs do not show the file output loading. It goes directly from starting the pipeline to the elasticsearch outputs. It almost seems like it is loading the wrong configuration. With logstash running can you run the command sudo lsof | grep logstash so we can take a look at what files are loaded.

Also there should be more loglines above this one where it started pipeline main.
Thank You,
Bryan Vest