TechQA.

OS X: logstash works for a while and then stops with "Logstash shutdown completed" msg((

485 views Asked by At

After I upgraded to logstash 1.5.0 getting strange behavior of this program. Whenever I run it with next command:

 $ logstash agent -f /usr/local/etc/logstash/conf.d/logstash.conf

It works for a while and then stops saying "Logstash shutdown completed". Example:

 .....
 ......
  "@version" => "1",
"@timestamp" => "2015-06-20T21:04:09.087Z",
      "type" => "SuricataIDPS",
      "host" => "drew-sh.server",
      "path" => "/var/log/suricata/eve.json",
     "geoip" => {
                  "ip" => "209.52.144.104",
       "country_code2" => "CA",
       "country_code3" => "CAN",
        "country_name" => "Canada",
      "continent_code" => "NA",
         "region_name" => "BC",
           "city_name" => "Vancouver",
            "latitude" => 49.25,
           "longitude" => -123.13329999999999,
            "timezone" => "America/Vancouver",
    "real_region_name" => "British Columbia",
            "location" => [
        [0] -123.13329999999999,
        [1] 49.25
    ],
         "coordinates" => [
        [0] -123.13329999999999,
        [1] 49.25
    ]
  }
}
Logstash shutdown completed

even after complete reinstallation: 

$ brew rm logstash
$ brew install logstash

I'm having same issue (((

Here is my /usr/local/etc/logstash/conf.d/logstash.conf:

input {
  file {
    path => ["/var/log/suricata/eve.json"]
    sincedb_path => ["/var/lib/logstash/"]
    codec =>   json
    type => "SuricataIDPS"
    start_position => "beginning"
  }

}

filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip"
      target => "geoip"
      #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip"
          target => "geoip"
          #database => "/usr/local/opt/logstash/libexec/vendor/geoip/GeoLiteCity.dat"
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
          convert => [ "[geoip][coordinates]", "float" ]
        }
      }
    }
  }
}

output {
  elasticsearch {
    host => localhost
    protocol => http
  }
  stdout {
      codec => rubydebug
   }
}

Why? What am I doing wrong?

elasticsearch logstash logstash-configuration elastic-stack
Original Q&A
1

There are 1 answers

0
Drew On BEST ANSWER

Never mind - I've updated logstash and now it works fine

Related Questions in ELASTICSEARCH

Related Questions in LOGSTASH

Related Questions in LOGSTASH-CONFIGURATION

Related Questions in ELASTIC-STACK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions