Logstash doesn't write / process data and seems to fail silently - logstash

Logstash seems to hang when processing a local file. The logstash process is still alive and everything looks fine, but no data get written to the output (elasticsearch). The index gets written, though.

Logstash seems to "hang" and not process any of the input data for the following reason:
Logstash keeps track of what has previously been processed, so when you run it again on the same input data (as will be the case during testing), Logstash will think it has already seen and processed this data the previous time and will not read it again. To bypass this during testing, specify explicitly the location of the sincedb file where Logstash should keep track of what it has read or not and manually delete this sincedb file before each test run.
Here is an example:
input {
file {
path => "~/logstash/data/input_file"
start_position => "beginning"
sincedb_path => "~/logstash/data/sincedb.db"
}
}
or maybe even better (added based on comment below):
input {
file {
path => "~/logstash/data/input_file"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

Related

Filebeat to logstash as single events

I have TCPdump logging to a file on a server that i need to ship to a logstash remote server. Currently filebeat is sending each line as a single event. each single event begins with a time stamp U 2013/10/11 18:03:13.234049 and then the dump data a space then a new event with a time stamp. Is there anyway to get file beat to ship these entries as a single event? I am new with filebeat and have not been able to get a multiline filter to correctly ship as needed.
Currently I have file stash with
output {
file {
path => "/usr/share/logstash/dump.log"
file_mode => 0644
codec => line { format => "%{message}"}
}
}
testing on the server with the log and sending
cat /applog/dump.txt | nc 192.168.25.23 6000
the logstash output looks as it should.

Logstash Always Keeps One message in PipeLine

I am using Logstash to read and parse logs from a file and send them to a Rest based API. My shipper is working fine, but I am experiencing a strange behavior.
Version:
logstash-2.3.2
Problem:
When Logstash shipper parses the first log entry, it does not send it, It keeps it in the pipeline. When it parses the second log entry, it sends the first log entry to the API. Hence one message always remains in the pipeline and it is not being sent towards my API.
Whenever I stop my Logstash shipper process, then it sends the last remaining message as well. So, In a sense no message is lost, but shipper always is one message behind.
Question:
Why is Logstash unable to flush out its pipeline and send message to the API as soon as it receives.
You should paste your logstash config and log format in order to get the correct answer, however from whatever you have described you seem to be using multiline plugin. So from logstash 2.2 onwards there is a auto_flush_interval for multline plugin in Codec. Basically this 'auto_flush_interval' can be set to a number of seconds and if multline input plugin does not listen any log line till the specified number of seconds then it will flush the input pending in pipepline to your API...
For example and more information please go through this:
input {
file {
path => "$LogstashFilePathValue"
type => "DemandwareError"
tags => "$EnvironmentName"
start_position => "beginning"
sincedb_path => "NUL"
codec => multiline {
pattern => "\A\[%{TIMESTAMP_ISO8601:demandware_timestamp} GMT\]"
negate => true
what => previous
auto_flush_interval => 10
}
}
}
The example is from the link: https://github.com/elastic/logstash/issues/1482
For more information on auto_flush_interval visit: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html#plugins-codecs-multiline-auto_flush_interval

Messages not making into elasticsearch

We are a setup with three queues in rabbitmq, handling three different types of logs.
The queues are handled by logstash, and given a tag, and then logstash dumps the message into the appropriate index in elasticsearch.
So my input looks something like this:
input {
rabbitmq {
host => "localhost"
queue => "central_access_logs"
durable => true
codec=> json
threads => 3
prefetch_count => 50
port => 5672
tags => ["central_access_log"]
}
And similar setup for the other two queues:
My output is like this:
if("central_access_log" in [tags]){
elasticsearch {
host => "localhost"
index=> "central_access_logs"
}
}
I suspected for a while that not everything was making it into the central_access_log index (the other two indexes, more of less, seemed fine), so I added this:
file {
path => '/data/out'
}
And let that run for a few weeks.
Recently, I noticed that for the last week and half, nothing has been coming into that index (again, the other two are perfectly fine), however the text file contains all the missing messages.
How can I go about debugging this? Is it an error on logstash's end, or elasticsearch?

logstash with date specific file names

I have an app that writes logs like
access_log-2014-09-08
access_log-2014-09-09
access_log-2014-09-10
It seems that if I have a input=>file=>path defined for access_log* it only works on what files are there when it started up. When midnight rolls around, and it makes a new file, logstash doesn't see it. Is there a way to specify a path that will catch this? Also I don't need it tailing anything except for the current day. It's not a huge problem if it looks at everything but it would be cleaner and nice to not do that.
Logstash config:
input {
file {
path => [ "/var/log/apache/access_log-*" ]
}
... filters and output ...
}

logstash multiple output doesn't work if one of outputs fails

I have the next configuration of logstash :
output {
elasticsearch {host => "elastichost"
stdout {codec => json}
file {
path => "./out.txt"
}
And in case when Elasticsearch host is unavaliable then I do not receive any output at all. There is just errors about ElasticSearch output fails.
So the question is how I can configure logstash for reliable sending logs to outputs even if one of them fails?
You can't do this in Logstash 1; any output thread that blocks will hang them all up.
The design of Logstash 2 is supposed to fix this.

Resources