Quote:
Code:
{:timestamp=>"2014-05-20T20:22:49.200000+0200", :message=>"Registering file input", :path=>["/var/log/*.log", "/var/log/messages", "/var/log/syslog"], :level=>:info, :file=>"logstash/inputs/file.rb", :line=>"74"} Code:
{:timestamp=>"2014-05-20T20:22:49.386000+0200", :message=>"_discover_file_glob: /var/log/*.log: glob is: [\"/var/log/yum.log\", \"/var/log/anaconda.log\", \"/var/log/anaconda.storage.log\", \"/var/log/anaconda.program.log\", \"/var/log/dracut.log\", \"/var/log/boot.log\", \"/var/log/anaconda.ifcfg.log\", \"/var/log/anaconda.yum.log\"]", :level=>:debug, :file=>"filewatch/watch.rb", :line=>"117"} |
Oh they're there:
Code:
grep "Registering file input" /var/log/logstash/logstash.log Code:
sincedb_path => "/opt/logstash/sincedb-access" This seems to have worked once or twice. |
Quote:
Yes that might be a good idea, but I guess there is a change you'll end up in the exact same state. One more thing, I guess you probably thought of this but are the actual logfiles in /var/log/remotes owned by root? Your previous posts only show the directory permissions, not of the actual files. Just a thought, if they are owned by root the logstash user can list but not read them ;) If it's possible check out that if you trigger a new log message it's picked up by logstash. In my case I also monitor /var/log/messages. When I trigger a log message: Code:
logger TESTING Code:
{:timestamp=>"2014-05-21T18:07:13.528000+0200", :message=>"Event now: ", :event=>#<LogStash::Event:0x23155c9e @accessors=#<LogStash::Util::Accessors:0x4f739b10 @store={"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, @lut={"type"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "type"], "host"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "host"], "path"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "path"], "message"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "message"], "timestamp"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "timestamp"], "logsource"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "logsource"], "program"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "program"], "tags"=>[{"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, "tags"]}>, @data={"message"=>["May 21 18:07:12 dev root: TESTING", "TESTING"], "@version"=>"1", "@timestamp"=>"2014-05-21T16:07:13.519Z", "type"=>"syslog", "host"=>"dev.kanbier.lan", "path"=>"/var/log/messages", "timestamp"=>"May 21 18:07:12", "logsource"=>"dev", "program"=>"root", "tags"=>["syslog", "grokked"]}, @cancelled=false>, :level=>:debug, :file=>"logstash/filters/grok.rb", :line=>"299"} |
clean logstash recipe
Well, we'll know tomorrow when indexes roll over, but for now we have re-initialized logstash with this recipe:
Code:
service logstash stop Code:
stat -c%a /var/log/remotes/* the init script I cp'd from /root is here... and I believe that's stock except for Code:
args="agent -f ${LS_CONF_DIR}/logstash.conf where it was Code:
stop && start Code:
stop || start You've been a tremendous help on this issue and I am grateful for it. Have a Great Day! |
All times are GMT -5. The time now is 05:19 PM. |