I missed logstash-web listing in /etc/init, which is why it would still start on startup. I managed to narrow down the problem to needing and older version of a plugin using the debug run like you suggested.
However, an unendable process is never good.
topwobble joined the channel
que joined the channel
hvalle joined the channel
techminer joined the channel
Rumbles joined the channel
rwhavens joined the channel
neo_ has quit
thansen joined the channel
losh joined the channel
blubberbart has quit
neo_ joined the channel
cliles joined the channel
blues-man has quit
Rumbles joined the channel
Freman has quit
paultjuh joined the channel
kiste joined the channel
t4nk125 joined the channel
keith4_ has quit
keith4_ joined the channel
Freman joined the channel
Big_G has quit
t4nk125 has quit
thoco1 joined the channel
spuder joined the channel
derjohn_mob has quit
thoco has quit
blues-man joined the channel
t4nk714
Hi again, I'm having a weird problem. I set up my lsf on windows server and made a test file in the folder lsf is point at. I created a file and put 1 line into it but it didn't send. BUT when I add a 2nd line then it sends the first. When I add a 3rd line it sends the 2nd etc...
jerryitt joined the channel
thoco1 has quit
Zesk joined the channel
daito joined the channel
kiste has quit
vangap has quit
thoco joined the channel
tiv
t4nk714, this is normal, because in case of log file, each line adds with new line character
t4nk714, so app that generate logs normally add new line after each log record
t4nk714
Ah I see, thank's again for the response
tiv
urw
Freman has quit
olivier__, are you still here?
Freman joined the channel
thoco has quit
daito joined the channel
Zesk
Logs shows that "pipeline is blocked" and I want to try another settings. Sadly, logstash doesn't stop with SIGTERM, do you know any reasons?
Title: filter { if [server_address] { ### (remove this) check if your field with IP - Pastebin.com (at pastebin.com)
tiv
Zesk, I have same issue when something wrong with config or plugins
Zesk, just killall logstash proc
and try to test config with debug output: /opt/logstash/bin/logstash -f CONFIG_PATH --debug
Zesk
tiv, it work for sometime but when Kibana seems to use heavily elasticsearch, logstash get stuck and lumberjack cannot send anyting...
rastro joined the channel
tiv, ok for kill -9 logstash ^^
tiv
Zesk, do you use some additional plugins?
with logstash
there is some issues with some of them in some situation, so you'll need to check similar issue with google
Zesk
I use /opt/logstash/bin/logstash -t -f myconf.conf to test but haven't use "--debug" will try
tiv
hope this will help
Zesk
filter part has date, geoip, mutate, ruby
daito has quit
tiv
ruby can do the problem (I have one with timestamp field manipulation)
but it depends
Freman has quit
dig your debug logs
Freman joined the channel
Zesk
Hm, will do that. But I don't understand why logstash are failing (due to blocked pipeline) when I use kibana. Logically, it should elasticsearch the problem ^^
blues-man has quit
kiste joined the channel
ideopathic has quit
Weird, "Plugin not defined in namespace, checking for plugin file" for filter{}...
xowap, you'll need to choose it by yourself - syslog, syslog-ng, lsf, ....
jbehrends joined the channel
lsf gives you ability to parse logs on client side and send securely ready data in JSON (generally)
Zesk
tiv, thanks... :D I already had this page open. Note sure if this point is the origine of the issue since everything "seems" to work fine if nothing is stress-out. Maybe it's something about output protocol elasticsearch { host => localhost} should i add protocol => http or transport?
alemeno22 joined the channel
xowap
I'm running at small scale so far (and I output my nginx logs in kv format)
but lsf sounds pretty easy in the sense that it's doing SSL authentication natively
and if network (or remote server) fails, logs are sent later, right?
thansen has quit
blues-man joined the channel
tiv
xowap, thats what we want to think so ))
dberry joined the channel
just try it, it's must be suits all your needs
if not, you'll know about it first :)
adaam joined the channel
cully joined the channel
RobertDupont joined the channel
duck_tape joined the channel
xowap
tiv: yep thanks, I just wanted to make sure I wasn't missing something huge
going to give it a try
tiv
xowap, urw, it's all about your needs
xowap
also to confirm, there is no need for HA on the ELK server unless I want it, right?
aka, 5 minutes of logs are not going to vanish if I reboot my server
Zesk
Thanks tiv, my elasticsearch is not on cluster (single node), the original config should be okay. I will dig deeper with debug mode. Hope to come with a fix soon ^^
xowap, logstash-forwarder won't send anyting if the server don't respond, if it's what you ask :p
tiv
Zesk, urw, I was write embedded => false, when there is conflict in elasticsearch versions in logstash and ES
with this option LS don't act as ES node, so this solve my problem with that
t4nk714 has quit
horus has quit
xowap, I'm running only one node, it's normal for me :)
GLM joined the channel
qchris joined the channel
have small setup too (>100 hosts that sends logs)
GLM
How can I give multiple patterns to grok and have it picks the one that matches for a given message?
fullerja has quit
tiv
but in linux I use syslog-ng, on Windows nxlog for log shippment, just because it's simplier for me to deploy and maintain
GLM, you can just %{PATTERN1}|%{PATTERN2} in grok filter
first, that match will yours
the same you can do in your patterns: GLOBAL_PATTERN %{PATTERN1}|%{PATTERN2}, then use %{GLOBAL_PATTERN} in grok filter
GLM: pattern1|pattern2 can be very expensive (running a really long pattern across your whole message).
GLM: in your case, i'd pull the common stuff off first (a smaller pattern), putting the results back into 'message', then running the other groks against the shorter message.