I am using the latest code of [email protected]:deviantony/docker-elk.git repository to host ELK stack with docker-compose up command. Elastic search and kibana are running fine.
Although I cannot index into logstash with my logstash.conf which is as shown below:
input {
file {
# Configure your path below
path => ["C:/Users/matt/Desktop/temp/logs/*.txt*"]
ignore_older => "141 days"
start_position => "beginning"
file_sort_by => "last_modified"
file_sort_direction => "desc"
sincedb_path => "NUL"
type => "appl"
codec => multiline {
pattern => "^<log4j:event"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "appl" {
grok {
add_tag => [ "groked" ]
match => ["message", ".*"]
remove_tag => ["_grokparsefailure"]
}
mutate {
gsub => ["message", "log4j:", ""]
}
xml {
source => "message"
remove_namespaces => true
target => "log4jevent"
xpath => [ "//event/@timestamp", "timestamp" ]
xpath => [ "//event/@level", "loglevel" ]
xpath => [ "/event/message/text()", "message" ]
xpath => [ "/event/throwable/text()", "exception" ]
xpath => [ "//event/properties/data[@name='log4jmachinename']/@value", "machinename" ]
xpath => [ "//event/properties/data[@name='log4japp']/@value", "app" ]
xpath => [ "//event/properties/data[@name='log4net:UserName']/@value", "username" ]
xpath => [ "//event/properties/data[@name='log4net:Identity']/@value", "identity" ]
xpath => [ "//event/properties/data[@name='log4net:HostName']/@value", "hostname" ]
}
mutate {
remove_field => ["type"]
gsub => [
"message", "&", "&",
"message", "<", "<",
"message", ">", ">",
"message", """, "\"",
"message", "'", "'"
]
}
date {
match => [ "[timestamp][0]","UNIX_MS" ]
target => "@timestamp"
remove_field => ["timestamp"]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "log4jevents"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
}
stdout {
codec => rubydebug
}
}
and my log file that I want to index with my logstash is shown below
<log4j:event logger="Microsoft.Unity.ApplicationBlocks.Logging.Logger" timestamp="1615025506621" level="DEBUG" thread="13"><log4j:message>SSO->AccountController->Login->Before ClientID Check</log4j:message><log4j:properties><log4j:data name="log4jmachinename" value="hostname01" /><log4j:data name="log4japp" value="/LM/W3SVC/2/ROOT-1-132594985694777790" /><log4j:data name="log4net:UserName" value="IIS APPPOOL\default" /><log4j:data name="log4net:Identity" value="" /><log4j:data name="log4net:HostName" value="hostname01" /></log4j:properties><log4j:locationInfo class="Microsoft.Unity.ApplicationBlocks.Logging.Logger" method="Debug" file="F:\somefolder\Agent\_work\1\s\Unity\Microsoft.Unity.ApplicationBlocks\Logging\Logging.cs" line="353" /></log4j:event>
The issue shown while starting the docker-compose up is shown below for logstash
Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://elastic:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://elastic:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
The same logstash.conf was working earlier for EK version 6.8. Whats wrong with my logstash.conf?
