Nagios Support Forum

Well, a sample isn't going to help since it's literally everything: syslogs, standard event logs, and some custom stuff. Nothing added just before or just after the upgrade process so the attached configs worked before the 2.0 upgrade. If you still need log samples let me know where to PM them, but quite literally nothing is working, and it may be due to that ErrorCode field issue noted above.

With no inputs showing up this, sounds like something bigger than a parsing issue with a single input. Try restaring logstash and elasticsearch with:
and provide a fresh copy of the elasticsearch and logstash log as well as the output of curl -XGET 'http://localhost:9200/_cluster/health/* ... rds&pretty'.

Here you go. This looks interesting:

"Grok::PatternError", :error=>"pattern %{CUSTOMAPACHELOG} not defined",

I'm going to comment that one out, but it definitely worked before the update.

The grok pattern error is likely due to some customization being overwritten by the upgrade. The default grok patterns can be found in /usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/grok-patterns. Likely not the cause of not seeing data, but something you'll probably want.

For the main issue, I'd like to take a closer look by getting a profile. Something isn't adding up here. Please open a ticket and attach a profile(Admin > System > System Status > Download System Profile).

Actually, commenting that out did fix the issue.

We actually came up with a new format for Apache logs that we're deploying, and I wrote a custom grok pattern for it, but we still have some servers using the legacy stuff. Looks like the apache log patterns were pulled out at some point, I was taking a look at a doc from 2014 and there's two apache patterns defined, but they're gone on a current year version of the same doc:

Apr 9, 2014: https://github.com/elastic/logstash/blo ... k-patterns

Mar 4, 2017: https://github.com/logstash-plugins/log ... k-patterns

@cdienger and I had a chat about this and it sounds like you know what's going on at this point. Are we ready to lock this up, or did we miss a question?

I think we're good.

Sounds good! I'll be closing this thread!

If you have any more questions, feel free to create another thread.

Thanks for using the Nagios Support Forum!