All geek questions in one place

Logstash creates huge local log files and (although it then sends Elasticsearch)

Problem

I have a machine with logstash on it and another Elasticsearch-Kibana machine that stores logs written using logstash on the first machine. Naturally, I do not want the logs to be stored on the source machine and only be processed in the Elasticsearch cluster.

Unfortunately, logstash creates huge log files on the first computer (where nothing needs to be saved):

enter image description here

Configuration

I have only one file under /etc/logstashon the source computer, and as far as I can see, the local output is not specified in the configuration:

input {
        tcp {
                port => 5959
                codec => json
        }
        udp {
                port => 5959
        }
}
filter{
    json{
        source => "message"
    }
}
filter{
        if [@message] == "Incoming Event" {
            mutate{
                    add_field => {
                              "location" =>  "%{@fields[location]}"
                        }
                }
        }
}
output {
        elasticsearch {
                # The host in which elasticsearch and Kibana live
                host => "some.internal.aws.ip" 
        }
}

How can I stop logstash from writing local logs by configuration? I know that I can help them, but I think that prevention is less error prone.

+4
3

, CentOS 7. - , elasticsearch, logstash logstash.log logstash.stdout

, .

(, , ), --quiet, .

LS_OPTS -variable (/etc/sysconfig/logstash on centos), init.d script, :

# Arguments to pass to logstash agent
LS_OPTS="--quiet"
+6

, , , :

stdout { codec => rubydebug }

30-output.conf logstash

.

+3

logrotate

, --verbose --debug /etc/init.d/logstash. , logrotate .

/etc/logrotate.d/logstash:

/var/log/logstash/*.log {
        daily
        rotate 7
        copytruncate
        compress
        delaycompress
        missingok
        notifempty
}

, :

$ logrotate --force logrotate.d/logstash --verbose
Ignoring logrotate.d/logstash because of bad file mode.

A :

sudo chmod 0644 logrotate.d/logstash

daily hourly, .

, . - , logstash , .

0
source

Source: https://habr.com/ru/post/1613183/

More articles:


All Articles