Develop Reference

Logstash Auto update Data

I am using the latest version of logstash(7.6.2). I tried uploading a sample data and was able to successfully upload it into the elasticsearch using logstash(enabled auto-reload) and was able to see the index in the Kibana interface.
But, when I make changes to the below config file, I was unable to see the updated data in the Kibana interface. I was trying to remove the mutate filter plugin and the logstash pipeline reloaded but the data in Kibana is not updated. Interestingly it didn't throw up any errors.
Sample.conf
input{
file{
path => "/usr/local/Cellar/sample.log"
start_position => "beginning"
}
}
filter{
grok{
match => ["message", "%{TIMESTAMP_ISO8601:timestamp_string}%{SPACE}%{GREEDYDATA:line}"]
}
date{
match => ["timestamp_string", "ISO8601"]
}
mutate{
remove_field => [message, timestamp_string]
}
}
output{
elasticsearch{
hosts => ["localhost:9200"]
index => "sample"
}
stdout{
codec => rubydebug
}
}
Any help here is appreciated. TIA
P.S. - I am new to ElasticSearch!

If you want to parse again a complete file, you need to :
delete sindedb files
OR only delete the corresponding line in sincedb file
Then, restart Logstash. Logstash will reparse the file.
For more info: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#sincedb_path

logstash: File input not working, stdout does not show anything at all (Windows)

I am new to logstash, I was trying to give a sample log file as input through the logstash config file. But it does not seem to be working. Initially I gave input through stdin, it worked perfectly and showed the output in stdout. I placed the same input I gave through stdin in the log file and tried giving the input but it does not seem to read the file at all.
This is my config file:
`
input {
file{
path =>"C:\pdata\ct.log"
start_position =>"beginning"
}
}
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output {
stdout {codec => rubydebug}
}
The presence of sincedb_path does not seem to make any difference.

Use forward slashes in your input configuration.
input {
file{
path =>"C:/pdata/ctop.log"
start_position =>"beginning"
}

Seems Logstash doesn't process the last event/line until the next event is written

I am new to logstash and during my hands on I could see that logstash do not process the last line of the log file.
My log file is simple 10 lines and I have configured filters to process one/two fields and output the json result to a new file.
So when logstash is running I open the monitored file and add one line to the end of file and save it. Nothing happens. Now I add one more line and the previous event shows up in the output file, and similarly for the next events.
How to resolve this behavior ? Is something wrong with my usecase/config ?
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {
file {
path => "C:\testing_temp\logstash-test01.log"
start_position => beginning
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
grok {
match => { "message" => "%{IP:clientip} pssc=%{NUMBER:response} cqhm=%{WORD:HTTPRequest}"}
}
geoip {
source => "clientip"
}
}
output {
file {
path => "C:\testing_temp\output.txt"
}
}

please make sure to add a a newline at the end of your line when manually inserting. Logstash will pick up your changes as soon as it detects that the line is "finished".
Your usecase is ok. If you add:
stdout { codec => rubydebug }
To your output section you will see the events immediately in your console (nice for debugging/testing).

Logstash records from a server being rejected by ElasticSearch due to malformed date

I am in the process of installing ELK including REDIS and have successfully got one server/process delivering its logs through to ElasticSearch(ES).
Most happy with this.
However, on updating an existing server/process to start using logstash I am seeing the logdate come through in the form yyyy-MM-dd HH:mm:ss,sss.
Note the absence of the T between date and time. ES is not happy with this.
Log4j pattern in use by both servers is:
<PatternLayout pattern="~%d{ISO8601} [%p] [%t] [%c{1.}] %m%n"/>
Logstash config is identical with the exception of the path to the source log file
input{
file{
type => "log4j"
path => "/var/log/restapi/*.log"
add_field => {
"process" => "restapi"
"environment" => "DEVELOPMENT"
}
codec => multiline {
pattern => "^~%{TIMESTAMP_ISO8601} "
negate => "true"
what => "previous"
}
}
}
filter{
if [type] == "log4j"{
grok{
match => {
message => "~%{TIMESTAMP_ISO8601:logdate}%{SPACE}\[%{LOGLEVEL:level}\]%{SPACE}\[%{DATA:thread}\]%{SPACE}\[%{DATA:category}\]%{SPACE}%{GREEDYDATA:messagetext}"
}
}
}
}
output{
redis{
host => "sched01"
data_type => "list"
key => "logstash"
codec => json
}
stdout{codec => rubydebug}
}
The stdout line is for current debug purposes, whereby it is evident that on correctly working server that logdate is being correctly formed by the GROK filter.
compared to the incorrectly formed output.
The only difference from a high level is when the servers were built.
Looking for ideas on what could be causing or a means to add the T into the field

A bug raised under DatePatternConverter ISO8601_PATTERN does not conform to ISO8601 https://issues.apache.org/jira/browse/LOG4J2-670 led me to check the version of the log4j2 library used in the older application. Found it was Beta. Updated to v2.3 and the dateTime value started to populate correctly. The value now being correctly formed, ElasticSearch is happy to accept it.

Duplicate entries into Elastic Search while logstash instance is running

I have been trying to send logs from logstash to elasticsearch.Suppose I am running a logstash instance and while it is running,I make a change to the file which the logstash instance is monitoring,then all the logs which have been previously saved in the elasticsearch are saved again,hence duplicates are formed.
Also,when the logstash instance is closed and is restarted again,the logs gets duplicated in the elasticsearch.
How do I counter this problem?
How to send only the newest added entry in the file from logstash to elasticsearch?
My logstash instance command is the following:
bin/logstash -f logstash-complex.conf
and the configuration file is this:
input
{
file
{
path => "/home/amith/Desktop/logstash-1.4.2/accesslog1"
}
}
filter
{
if [path] =~ "access"
{
mutate
{
replace =>
{ "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
host => localhost
index => feb9
}
stdout { codec => rubydebug }
}

I got the solution.
I was opening the file,adding a record and saving it ,due to which logstash treated the same file as a different file each time I saved it as it registered different inode number for the same file.
The solution is to append a line to the file without opening the file but by running the following command.
echo "the string you want to add to the file" >> filename

[ELK stack]
I wanted some custom configs in
/etc/logstash/conf.d/vagrant.conf
so the first step was to make a backup: /etc/logstash/conf.d/vagrant.conf.bk
This caused logstash to add 2 entries in elasticseach for each entry in <file>.log;
the same if i had 3 files in /etc/logstash/conf.d/*.conf.* in ES i had 8 entries for each line in *.log

As you mentioned in your question.
when the logstash instance is closed and is restarted again,the logs gets duplicated in the elasticsearch.
So, it probably you have delete the .since_db. Please have a look at here.
Try to specific the since_db and start_position. For example:
input
{
file
{
path => "/home/amith/Desktop/logstash-1.4.2/accesslog1"
start_position => "end"
sincedb_path => /home/amith/Desktop/sincedb
}
}