Why doesn’t logstash grab or index the files from the mapped drive

elasticsearchkibanalogginglogstashwindows-server-2008-r2

I don't understand why logstash is so finicky with network resources. I shared a folder on another machine and then mapped it as Z: under Windows Explorer. I've verified the path and everything. I can get logstash (with ELK stack) to input local files but it just doesn't seem to do anything with network or mapped resources.

Is there something insanely simple I'm missing here? Do I need additional arguments for outputting mapped drive inputs to elasticsearch?

input { 
file {
  type => "BbLog"
  path => "Z:/*"
}
}

output {
  elasticsearch {
    host => "localhost"
  }
}

Best Answer

A quick search for similar posts found a possible answer, try setting your path to something like:

path => "z:/**/*.log"

Obviously you would want to edit that to fit your configuration, use double * as your wildcards for expansion. I would suggest that starting logstash up asking it to read everything off a network drive probably isn't the best idea, by default the file input will try to expand wildcard globs every 15 seconds, so it might never finish expanding before starting again.

I can't say I have ever used logstash on Windows, but I know there are a few issues when people do, these are probably documented on the github pages if you go and have a dig. Failing that the #logstash irc channel on freenode is almost always quite active.

Related Solutions

Logstash-forwarder is throwing SSL errors

The certificate you are using does not have any valid IP SAN's as mentioned in the message:

Failed to tls handshake with x.x.x.x x509: cannot validate certificate for x.x.x.x because 
it doesn't contain any IP SANs

If you connect using an IP address then your certificate must contain a matching IP SAN to pass validation with Go 1.3 and higher. This is not (yet?) mentioned in any README file or documentation but there are some issues ( #226 , #221 ) open at the project github repo.
To permit IP address as the server name, the SSL cert must include IP address as a subjectAltName field.

To solve that you can use following procedure for the creation of the SSL cert and key:

Create a file notsec.cfr (or any other name) containing output like:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = TG
ST = Togo
L =  Lome
O = Private company
CN = *

[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[alt_names]
DNS.1 = *
DNS.2 = *.*
DNS.3 = *.*.*
DNS.4 = *.*.*.*
DNS.5 = *.*.*.*.*
DNS.6 = *.*.*.*.*.*
DNS.7 = *.*.*.*.*.*.*
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14

If you connect via host names, you can remove the IP SAN's, otherwise add your logstash server IP address.

Create the certificate and key with following command (using the file from point 1):

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout notsecure.key -out notsecure.crt -config notsec.cnf -days 1825

This will create a kind of wildcard certificate accepting any hostname and the IP addresses mentioned it that file. Of course this is just a simple example and you wil need to adjust the settings to your needs.

Getting logs from systemd unit into flat files and logstash

~~A third party input plugin for logstash that reads the systemd journal directly is available. Adding support directly to logstash remains an open issue.~~

Logstash now includes a systemd journal input plugin.

Best Answer

Related Solutions

Logstash-forwarder is throwing SSL errors

Getting logs from systemd unit into flat files and logstash

Related Topic