Page 1 of 1
Configs page empty??
Posted: Thu Mar 22, 2018 2:25 pm
by bpizzutiWHI
This is a little wierd. Looks like the log server's config pages are completely empty.
Global Config View:
Code: Select all
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Thu, 22 Mar 2018 15:21:18 -0400
#
#
# Global inputs
#
#
# Local inputs
#
#
# Global filters
#
#
# Local filters
#
#
# Global outputs
#
#
# Local outputs
#
However, the listeners are still going, and the filters are still working. When this happened I noticed that the CONF files in /nagioslogserver/logstash/etc/conf.d/ had all been blanked, but I restored a recent backup there, and there's data. At this point should I just paste those files into new input and filter boxes? Seems like kind of a pain if so.
Re: Configs page empty??
Posted: Fri Mar 23, 2018 11:04 am
by cdienger
Restarting the logstash service can automatically reload them:
service logstash restart
If that doesn't do the trick though then I would suggest updating it through the web UI in the method you described. It's usually just a few configs that need to be created so hopefully it isn't too painful. The filter{} wrapper is not needed when adding the filters eg:
Code: Select all
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
Instead of:
Code: Select all
filter {
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
}
Re: Configs page empty??
Posted: Fri Mar 23, 2018 11:30 am
by bpizzutiWHI
Just FYI, restarting logstash didn't work. This wouldn't be a big deal except I have to go tweak one of the filters. Damn good thing I took a backup of the config files, but I do have quite a bit of custom stuff in there. Guess I'd better get started.
Re: Configs page empty??
Posted: Fri Mar 23, 2018 3:39 pm
by cdienger
Another alternative would be to reload one of the backup configs found under Configure > Config Snapshots(download and review the config first to make sure it's a valid one). Hopefully it isn't a regular occurrence. I've seen this happen when there have been problems with the system - running out of memory or crashes.