Develop Reference

Data missed in Logstash?

Data missed a lot in logstash version 5.0,
is it a serous bug ,when a config the config file so many times ,it useless,data lost happen again and agin, how to use logstash to collect log event property ?
any reply will thankness

Logstash is all about reading logs from specific location and based on you interested information you can create index in elastic search or other output also possible.
Example of logstash conf
input {
file {
# PLEASE SET APPROPRIATE PATH WHERE LOG FILE AVAILABLE
#type => "java"
type => "json-log"
path => "d:/vox/logs/logs/vox.json"
start_position => "beginning"
codec => json
}
}
filter {
if [type] == "json-log" {
grok {
match => { "message" => "UserName:%{JAVALOGMESSAGE:UserName} -DL_JobID:%{JAVALOGMESSAGE:DL_JobID} -DL_EntityID:%{JAVALOGMESSAGE:DL_EntityID} -BatchesPerJob:%{JAVALOGMESSAGE:BatchesPerJob} -RecordsInInputFile:%{JAVALOGMESSAGE:RecordsInInputFile} -TimeTakenToProcess:%{JAVALOGMESSAGE:TimeTakenToProcess} -DocsUpdatedInSOLR:%{JAVALOGMESSAGE:DocsUpdatedInSOLR} -Failed:%{JAVALOGMESSAGE:Failed} -RecordsSavedInDSE:%{JAVALOGMESSAGE:RecordsSavedInDSE} -FileLoadStartTime:%{JAVALOGMESSAGE:FileLoadStartTime} -FileLoadEndTime:%{JAVALOGMESSAGE:FileLoadEndTime}" }
add_field => ["STATS_TYPE", "FILE_LOADED"]
}
}
}
filter {
mutate {
# here converting data type
convert => { "FileLoadStartTime" => "integer" }
convert => { "RecordsInInputFile" => "integer" }
}
}
output {
elasticsearch {
# PLEASE CONFIGURE ES IP AND PORT WHERE LOG DOCs HAS TO PUSH
document_type => "json-log"
hosts => ["localhost:9200"]
# action => "index"
# host => "localhost"
index => "locallogstashdx_new"
# workers => 1
}
stdout { codec => rubydebug }
#stdout { debug => true }
}
To know more you can go throw many available websites like
https://www.elastic.co/guide/en/logstash/current/first-event.html

Logstash not reading json file

I've config like this
input {
file {
path => "/opt/data/user-*.json"
type => "json"
start_position => "beginning"
sincedb_path => "/dev/null"
tags => ["user"]
}
}
filter {
json {
source => "message"
}
}
output {
stdout { codec => rubydebug }
}
When I run logstash with --debug, it shows the message without any output, seems it keep waiting for new content to be consumed (but I've set sincedb_path => "/dev/null" already)
_globbed_files: /opt/data/user-*.json: glob is: ["/opt/data/user-2016-08-08.json"] {:level=>:debug, :file=>"filewatch/watch.rb", :line=>"346", :method=>"_globbed_files"}
Pushing flush onto pipeline {:level=>:debug, :file=>"logstash/pipeline.rb", :line=>"458", :method=>"flush"}
Pushing flush onto pipeline {:level=>:debug, :file=>"logstash/pipeline.rb", :line=>"458", :method=>"flush"}
When I change the input to stdin and paste the json in my data file, then it is ok.
input {
stdin{}
}

Logstash multiline codec not working with my pattern

I had been using the multline codec of logstash for my java exceptions. However, recently I wanted to capture more things and hence used another pattern. This causes my logstash not to read file even though I am using sincedb_path attribute.
My configurations file -
input {
file {
type => "pa"
path => "/home/jigar/POC/Docs/smalllogs/test"
codec => multiline {
pattern => "^%{DATESTAMP}"
negate => true
what => "previous"
}
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => [ "message", "%{DATESTAMP:actualTimeStamp}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{GREEDYDATA:identifier}%{SYSLOG5424SD:Id}%{SPACE}%{JAVACLASS:package}:%{INT:lineNum}%{SPACE}-%{SPACE}%{DATA:mydata}\n(\t)?%{GREEDYDATA:stack}" ]
}
}
output {
elasticsearch {
cluster => "smartdebugger"
protocol => "http"
host => "localhost"
}
stdout { codec =>rubydebug }
}
Can somebody please help me why logstash is not able to read the file.

Logstash not printing anything

I am using logstash for the first time and trying to setup a simple pipeline for just printing the nginx logs. Below is my config file
input {
file {
path => "/var/log/nginx/*access*"
}
}
output {
stdout { codec => rubydebug }
}
I have saved the file as /opt/logstash/nginx_simple.conf
And trying to execute the following command
sudo /opt/logstash/bin/logstash -f /opt/logstash/nginx_simple.conf
However the only output I can see is:
Logstash startup completed
Logstash shutdown completed
The file is not empty for sure. As per my understanding I should be seeing the output on my console. What am I doing wrong ?

Make sure that the character encoding of your logfile is UTF-8. If it is not, try to change it and restart the Logstash.

Please try this code as your Logstash configuration, in order to setup a simple pipeline for just printing the nginx logs.
input {
file {
path => "/var/log/nginx/*.log"
type => "nginx"
start_position => "beginning"
sincedb_path=> "/dev/null"
}
}
filter {
if [type] == "nginx" {
grok {
patterns_dir => "/home/krishna/Downloads/logstash-2.1.0/pattern"
match => {
"message" => "%{NGINX_LOGPATTERN:data}"
}
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
}
stdout { codec => rubydebug }
}

How configure multiple files using logstash.conf file

I am going to configure all log files present in location(D:\Logs folder)
log files are
1.Magna_Log4Net.log.20150623_bak
2.Magna_Log4Net.log.20150624_bak
3.Magna_Log4Net.log.20150625_bak
4.Magna_Log4Net.log.20150626_bak
logstash.conf file
input {
file {
path =["C:\Test\Logs\Magna_Log4Net.log.*_bak"]
start_position => "beginning"
}
}
filter {
grok { match => [ "message", "%{HTTPDATE:[#metadata][timestamp]}" ] }
date { match => [ "[#metadata][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] }
}
output {
elasticsearch { host => localhost}
stdout { codec => rubydebug }
}
I am not able to load all files into elastic search , I didn't understand the problem here. can any body help to to how to parse multiple files into logstash config files ???