I am upgrading from the 1.5 branch to 2.0. I am getting the following errors on startup:
"Default settings used: Filter workers: 1
The error reported is:
pattern %{HOST:thehost} not defined
"
I think %{HOST} is a default pattern included with logstash, so it is not a case of having a bad patterns directory. No problems with 1.5.
What's your config look like?
The host configuration option is now hosts in logstash 2.0
https://www.elastic.co/guide/en/logstash/current/breaking-changes.html
The config is fairly large to copy and paste and it isn't giving me a line number. And if I try it with --configtest, it surprisingly passes.
I did remove the entire filter {} section and it worked so it is not happy with something there.
I added this to the beginning of every grok stanza, to be safe, following an issue I found on github:
patterns_dir => "/etc/logstash/patterns"
I've already updated to change "host" to "hosts" since I saw that in the incompatible changes. That's not the problem here, but thanks for the suggestion.
Might it have anything to do with this? Grok -> patterns_dir not working in logstash 1.5.0 Do I need to install a plugin to access the patterns included with logstash by default?
Edit: confirmed that %{HOST} is a built-in pattern (or at least grok debugger says it is): https://grokdebug.herokuapp.com/patterns# (look under grok-patterns)
Edit2: I am not confident that it is related but the logstash log is filling up with permission denied errors like this one for local files:
{:timestamp=>"2015-11-11T06:28:13.624000-0500", :message=>"failed to open /var/log/syslog: Permission denied - /var/log/syslog", :level=>:warn}If you start Logstash with --debug it'll tell you about all pattern files and patterns that it reads. That might give you some clues.
Thanks for the tip.
I used --debug but it was a bit overwhelming and still did not display a line number or greater information for the error. I did manage to find that it was actually loading the default patterns from somewhere in /opt/logstash, making the error that much more strange. Is there anyway to force a line number for this error? It doesn't seem like a normal error, especially since I have encountered grok errors before and they are pretty self-explanatory to debug.
Were you able to figure it out? I am having the same issue.
%{HOST:domain} => %{IPORHOST:domain} fix my problem.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.