Worker loop initialization error in logstash

Elastic Stack Logstash
1

Hi,
We are getting worker loop initialization error while starting logstash. Please help to rectify the issue. conf file is attached and also find the error logs.

Error logs in logstash:

[2020-09-14T18:14:59,496][ERROR][logstash.javapipeline ][niadb] Worker loop initialization error {:pipeline_id=>"niadb", :error=>"Unexpected input types class org.logstash.config.ir.expression.ValueExpression class org.logstash.config.ir.expression.binary.Or", :exception=>Java::OrgLogstashConfigIrCompiler::EventCondition::Compiler::UnexpectedTypeException,
[2020-09-14T18:14:59,584][ERROR][logstash.agent ] Failed to execute action {:id=>:niadb, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}

.conf file:

input {
   beats
        {port => "5047"}

}

filter
{

# Create new field: oradb_status: starting,running,shutdown
if (/syslog/database/abc/alert_abc.log" in [source])
{
if [message] =~ /Starting ORACLE instance/ {
    mutate {
        add_field => [ "oradb_status", "starting" ]
    }
 } else if [message] =~ /Instance shutdown complete/ {
    mutate {
        add_field => [ "oradb_status", "shutdown" ]
    }
 } else {
      mutate {
        add_field => [ "oradb_status", "running" ]
    }
 }

# Search for ORA- and create field if match

if [message] =~ /ORA-/ {
 grok {
   match => [ "message","(?<ORA->ORA-[0-9]*)" ]
 }
}
else {
 drop {
 }
 }

# Extract the date and the rest from the message
  grok {
    match => [ "message","%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}(?<log_message>.*$)" ]
        }

 #Extract DB instance name from file name
 grok {
        match => [ "source","%{DATA}\/alert_%{DATA:db_instance}.log" ]
      }

  mutate {
       add_field => {
        "timestamp" => "%{year} %{month} %{monthday} %{time}"
       }
  }
# replace the timestamp by the one coming from the alert.log
  date {
     locale => "en"
      match => [ "timestamp" , "yyyy MMM dd HH:mm:ss" ]
#       timezone => "Asia/Kolkata"
        }

# replace the message (remove the date)
  mutate { replace => [ "message", "%{log_message}" ]  }

  mutate {
      remove_field => [ "time" ,"month","monthday","year","day","log_message"]
  }

}
else if (/syslog/database/xyz/alert_xyz.log" in [source]] )

{
 if [message] =~ /Starting ORACLE instance/ {
    mutate {
        add_field => [ "oradb_status", "starting" ]
    }
 } else if [message] =~ /Instance shutdown complete/ {
    mutate {
        add_field => [ "oradb_status", "shutdown" ]
    }
 } else {
      mutate {
        add_field => [ "oradb_status", "running" ]
    }
 }

# Search for ORA- and create field if match

if [message] =~ /ORA-/ {
 grok {
   match => [ "message","(?<ORA->ORA-[0-9]*)" ]
 }
  }
else {
 drop {
 }
 }
grok {
    match => [ "message","%{TIMESTAMP_ISO8601:isotimestamp}(?<log_message>.*$)" ]
        }

 #Extract DB instance name from file name
 grok {
        match => [ "source","%{DATA}\/alert_%{DATA:db_instance}.log" ]
      }

grok {
    match => [ "isotimestamp","%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:monthday}T%{HOUR:hour}:%{MINUTE:minute}:%{INT:second}.%{GREEDYDATA}" ]
    }

 mutate {
       add_field => {
        "timestamp" => "%{year} %{month} %{monthday} %{hour}:%{minute}:%{second}"
       }
  }
# replace the timestamp by the one coming from the alert.log
  date {
      locale => "en"
      match => [ "timestamp" , "yyyy MM dd HH:mm:ss" , "yyyy MMM dd HH:mm:ss" ]
#        timezone => "Asia/Kolkata"
        }

# replace the message (remove the date)
  mutate { replace => [ "message", "%{log_message}" ]  }

  mutate {
      remove_field => [ "year" ,"month","monthday","hour","minute","second","log_message","isotimestamp"]
  }

}



}

output {


   elasticsearch
                        {
                        hosts => [ "https://abc:9200" ]
                        index => "abc-%{+YYYY.MM.dd}"
                        ssl => true
                        cacert => ["/etc/logstash/ELK.crt"]
                        user => "elastic"
                        password => "abc"
                        }


}
```
Note : ELK Version 7.8
2

There are several errors in your configuration. For example, you are missing an opening double quote on this line.

I once worked on an application that used that test to detect Oracle errors. Then one night it processed a record for a client with the hyphenated name DORA-ANN. Before going back to bed the support team submitted a request for the test to be changed to something more like

if [message] =~ /\bORA-\d{5}\b/ {
3

Hi Badger,

Thank you for looking into this. The missing opening double quote on this line :
if (/syslog/database/abc/alert_abc.log" in [source]) seems missing while changing the original source path - /syslog/database/abc/alert_abc.log due to security concerns. Otherwise it is not missing in the original conf file. It is just a copy-paste mistake. Please accept apologies for the same. I am already using this .conf file in one of the environment which has ELK 6.2. This issue happened when I copied the same configuration in upgraded ELK stack 7.8 version. I am not sure if this issue is a version specific as some of the plugins from .conf file might not supported by the upgraded application version. Logstash just does not start and throwing this error of worker loop initialization error while starting logstash. Please help me with this.

4

You cannot expect folks to guess which errors in your configuration are copy and paste mistakes. You need to eliminate all of them.

5

Yes. Please accept apology for that and find the updated .conf file. Kindly help me with the issue.

 input {
   beats
        {port => "5047"}

}

filter
{

# Create new field: oradb_status: starting,running,shutdown
if ("/syslog/database/abc/alert_abc.log" in [source])
{
if [message] =~ /Starting ORACLE instance/ {
    mutate {
        add_field => [ "oradb_status", "starting" ]
    }
 } else if [message] =~ /Instance shutdown complete/ {
    mutate {
        add_field => [ "oradb_status", "shutdown" ]
    }
 } else {
      mutate {
        add_field => [ "oradb_status", "running" ]
    }
 }

# Search for ORA- and create field if match

if [message] =~ /ORA-/ {
 grok {
   match => [ "message","(?<ORA->ORA-[0-9]*)" ]
 }
}
else {
 drop {
 }
 }

# Extract the date and the rest from the message
  grok {
    match => [ "message","%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}(?<log_message>.*$)" ]
        }

 #Extract DB instance name from file name
 grok {
        match => [ "source","%{DATA}\/alert_%{DATA:db_instance}.log" ]
      }

  mutate {
       add_field => {
        "timestamp" => "%{year} %{month} %{monthday} %{time}"
       }
  }
# replace the timestamp by the one coming from the alert.log
  date {
     locale => "en"
      match => [ "timestamp" , "yyyy MMM dd HH:mm:ss" ]
#       timezone => "Asia/Kolkata"
        }

# replace the message (remove the date)
  mutate { replace => [ "message", "%{log_message}" ]  }

  mutate {
      remove_field => [ "time" ,"month","monthday","year","day","log_message"]
  }

}
else if ("/syslog/database/xyz/alert_xyz.log" in [source]] )

{
 if [message] =~ /Starting ORACLE instance/ {
    mutate {
        add_field => [ "oradb_status", "starting" ]
    }
 } else if [message] =~ /Instance shutdown complete/ {
    mutate {
        add_field => [ "oradb_status", "shutdown" ]
    }
 } else {
      mutate {
        add_field => [ "oradb_status", "running" ]
    }
 }

# Search for ORA- and create field if match

if [message] =~ /ORA-/ {
 grok {
   match => [ "message","(?<ORA->ORA-[0-9]*)" ]
 }
  }
else {
 drop {
 }
 }
grok {
    match => [ "message","%{TIMESTAMP_ISO8601:isotimestamp}(?<log_message>.*$)" ]
        }

 #Extract DB instance name from file name
 grok {
        match => [ "source","%{DATA}\/alert_%{DATA:db_instance}.log" ]
      }

grok {
    match => [ "isotimestamp","%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:monthday}T%{HOUR:hour}:%{MINUTE:minute}:%{INT:second}.%{GREEDYDATA}" ]
    }

 mutate {
       add_field => {
        "timestamp" => "%{year} %{month} %{monthday} %{hour}:%{minute}:%{second}"
       }
  }
# replace the timestamp by the one coming from the alert.log
  date {
      locale => "en"
      match => [ "timestamp" , "yyyy MM dd HH:mm:ss" , "yyyy MMM dd HH:mm:ss" ]
#        timezone => "Asia/Kolkata"
        }

# replace the message (remove the date)
  mutate { replace => [ "message", "%{log_message}" ]  }

  mutate {
      remove_field => [ "year" ,"month","monthday","hour","minute","second","log_message","isotimestamp"]
  }

}



}

output {


   elasticsearch
                        {
                        hosts => [ "https://abc:9200" ]
                        index => "abc-%{+YYYY.MM.dd}"
                        ssl => true
                        cacert => ["/etc/logstash/ELK.crt"]
                        user => "elastic"
                        password => "abc"
                        }


}

Note : We are using this configuration in ELK version 7.8 . The same file is working well in ELK version 6.2.``

6

Please edit your post, select the configuration, and click on </> in the toolbar above the edit pane.

7

Hi Badger,

I have edit the post as suggested. Please help me with the issue.

8

Again, your configuration has syntax errors in it. That ]] should be ]

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.