Issues updating logstash filters..

[Jklre]

I'm attempting to add a new filter to logstash on our NLS cluster.

I am adding the below filter to try and cut out some noise from our windows event logs.

Code: Select all

if [type] == 'eventlog' {
   if [Severity] == 'INFO' {
    drop {}
  }
}

i get the below error when trying to verify the config:

Code: Select all

{:timestamp=>"2019-09-25T11:25:38.245000-0700", :message=>"An unexpected error occurred!", :error=>"No config files found: /usr/local/nagioslogserver/tmp5d8bb11952877\nCan you make sure this path is a logstash config file?", :class=>"RuntimeError", :backtrace=>["/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/config/loader.rb:58:in `local_config'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/config/loader.rb:37:in `load_config'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/config/loader.rb:17:in `format_config'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/agent.rb:185:in `execute'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/runner.rb:94:in `run'", "org/jruby/RubyProc.java:281:in `call'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.1-java/lib/logstash/runner.rb:99:in `run'", "org/jruby/RubyProc.java:281:in `call'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.23/lib/stud/task.rb:24:in `initialize'"], :level=>:warn}

Any ideas? Thanks in advance.

[mbellerue]

This looks like it's having trouble grabbing the filter you entered from the temp file. Can you ssh into the machine and run these two commands,

Code: Select all

ls -lh /usr/local/nagioslogserver/
ls -lh /usr/local/nagioslogserver/tmp

/usr/local/nagioslogserver/tmp5d8bb11952877 This part of the error seems strange. There is a directory called tmp, and I believe that's where the temporary filter file should live prior to getting added to the configuration. But it's odd that there's no directory separator between tmp and the temporary file name.

[Jklre]

Heres what I see when i execute those commands.

Code: Select all

[sitescope@pnls03lxv ~]$ ls -lh /usr/local/nagioslogserver/
total 0
drwxr-xr-x  7 nagios nagios 128 Apr 25 14:17 elasticsearch
drwxr-xr-x  2 nagios nagios   6 Apr 25 14:17 etc
drwxr-xr-x  7 nagios nagios 187 Apr 25 14:17 logstash
drwxr-xr-x  2 nagios nagios  62 Apr 25 14:17 mibs
drwxr-xr-x  2 nagios nagios 263 Apr 25 14:17 scripts
drwxr-xr-x  2 nagios nagios 282 Sep 24 11:23 snapshots
drwxr-xr-x. 3 nagios nagios  21 Apr 18 15:49 store
drwxr-xr-x  3 nagios nagios  27 Sep 24 11:23 tmp
drwxr-xr-x  2 nagios nagios 115 Apr 25 14:17 var
[sitescope@pnls03lxv ~]$ ls -lh /usr/local/nagioslogserver/tmp
total 0
drwxr-xr-x 2 nagios nagios 6 Apr 25 14:17 elasticsearch
[sitescope@pnls03lxv ~]$

[mbellerue]

Looks like a permissions issue. Try these commands.

Code: Select all

chmod 775 /usr/local/nagioslogserver
chmod 775 /usr/local/nagioslogserver/etc
chmod 775 /usr/local/nagioslogserver/mibs
chmod 775 /usr/local/nagioslogserver/logstash

Then go ahead and try to add your filter and let me know how it goes.