0
votes

I've got a problem with running logstash. My conf looks like this:

input {
  udp {
    port => 1514
    type => docker
  }
}

filter {

  grok {
    match => {
      "message" => "<%{NUMBER}>%{DATA}(?:\s+)%{DATA:hostname}(?:\s+)%{DATA:imageName}(?:\s+)%{DATA:containerName}(?:\s*\[%{NUMBER}\]:) (\s+(?<logDate>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\s+%{HOUR}:%{MINUTE}:%{SECOND}) %{LOGLEVEL:logLevel}(?:\s*);* %{DATA:logAdditionalInfo};*)?%{GREEDYDATA:logMsg}"
    }
    keep_empty_captures => false
    remove_field => ["message"]
  }
}

output {
    if [type] == "gelf" {
       elasticsearch {
          index => "phpteam-%{+YYYY.MM.dd}"
       }
    } else {
       elasticsearch { }
    }

}

The configuration is correct, but after running it /var/log/logstash/logstash.log shows the following output:

{:timestamp=>"2016-06-22T11:43:03.105000+0200", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn} {:timestamp=>"2016-06-22T11:43:03.532000+0200", :message=>"UDP listener died", :exception=>#, :backtrace=>["org/jruby/RubyIO.java:3682:in select'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.3/lib/logstash/inputs/udp.rb:77:in udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.3/lib/logstash/inputs/udp.rb:50:in run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.1.1-java/lib/logstash/pipeline.rb:206:in inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.1.1-java/lib/logstash/pipeline.rb:199:in `start_input'"], :level=>:warn}

The only thing I found to workaround this error is to edit those .rb files, but sadly I have no idea how to do it. Could you help me somehow?

Thanks in advance.

1
It might be your firewall/port configuration blocking logstash from listening to the port.baudsp
Thank you for your answer. I found solution (it's not the best, but still ;)).Thomas

1 Answers

0
votes

I found solution that is not perfect, but works, so maybe it will help somebody.

After installing the whole instance on new server everything works fine.

Everything crashed after upgrade'ing logstash/elasticsearch/kibana, so maybe there's something wrong with configuration files, but I couldn't figure out which ones.