日志没有从 logstash 推送到 elasticsearch

Question

logstash-config.conf

input {
 file {
path => ["D:/project/log/samplex.log"]
sincedb_path => "D:/Project/logstash-7.5.0/data/plugins/inputs/file/null"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.1.8:9200"]
index => "db"
#user => "elastic"
#password => "changeme"
 }  }

Console log

D:\\Project\\logstash-7.5.0\\bin>logstash -f logstash-sample.conf
Thread.exclusive is deprecated, use Thread::Mutex Sending Logstash logs to D:/Project/logstash-7.5.0/logs which is now configured via log4j2.properties [2019-12-16T23:26:28,465][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-12-16T23:26:28,580][INFO ][logstash.runner ] Starting Logstash
{"logstash.version"=>"7.5.0"} [2019-12-16T23:26:30,143][INFO ][org.reflections.Reflections] Reflections took 32 ms to scan 1 urls, producing 20 keys and 40 values [2019-12-16T23:26:31,024][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[ http://192.168.1.8:9200/] }} [2019-12-16T23:26:31,201][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>" http://192.168.1.8:9200/ "} [2019-12-16T23:26:31,256][INFO ][logstash.outputs.elasticsearch][main] ES Output version determined {:es_version=>7} [2019-12-16T23:26:31,264][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>7} [2019-12-16T23:26:31,333][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.1.8:9200"]} [2019-12-16T23:26:31,404][INFO ][logstash.outpu ts.elasticsearch][main] Using default mapping template [2019-12-16T23:26:31,439][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been create for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team. [2019-12-16T23:26:31,449][INFO ][logstash.javapipeline
][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["D:/Project/logstash-7.5.0/bin/logstash-sample.conf"], :thread=>"#"} [2019-12-16T23:26:31,506][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash- ", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>" ", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_poin t"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}} [2019-12-16T23:26:32,041][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"} [2019-12-16T23:26:32,114][INFO ][filewatch.observingtail ][main] START, creating Discoverer, Watch with file and sincedb collections [2019-12-16T23:26:32,118][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2019-12-16T23:26:32,502][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

The logstash doesnt read the log file mentioned and its in idle state.

samplex.log

[2019-12-16T22:30:59,310][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[ http://192.168.1.8:9200/] }} [2019-12-16T22:30:59,472][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>" http://192.168.1.8:9200/ "} [2019-12-16T22:30:59,558][INFO ][logstash.outputs.elasticsearch][main] ES Output version determined {:es_version=>7} [2019-12-16T22:30:59,565][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>7} [2019-12-16T22:30:59,653][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.1.8:9200"]} [2019-12-16T22:30:59,724][INFO ][logstash.outputs.elasticsearch][main] Using default mapping template dsdasd

Answer 1

In Windows,i think the file name you have saved is sample.log but internally it would be considered as text file . So it would be something like "sample.log.txt"

So please do try

input {
file {
#type => "log"
path => "D:/Downloads/logstash-6.7.0/bin/samplex.log.txt"
sincedb_path => "D:/Downloads/logstash-6.7.0/data/plugins/inputs/file/null"
start_position => "beginning"
#ignore_older => 0
}
}



output {
stdout { codec => "rubydebug"}
elasticsearch {
hosts => "http://xx-xx-xx-xx:9200"
index => "db"
} 
}

If still the issue is seen, try deleting the null file in sincedb_path and try again.

Please let me know,if issue is getting resolved with this. Hope this helps you.. !!