0

It is working for auth.log but not working for authcopy.log. There is no error message. There is no output.

This is working.

sudo /usr/share/logstash/bin/logstash -e 'input { file { path => "/var/log/auth.log" } }'

output:

{
      "@version" => "1",
          "host" => "removed",
          "path" => "/var/log/auth.log",
    "@timestamp" => 2018-01-10T23:51:39.912Z,
       "message" => "Jan 10 20:17:55 removed sudo: pam_unix(sudo:session): session closed for user root"
}

...

This is not working. 

sudo /usr/share/logstash/bin/logstash -e 'input { file { path => "/var/log/authcopy.log" } }'

There is no error message. There is no output.

Copied auth.log to authcopy.log

sudo cp /var/log/auth.log /var/log/authcopy.log

sudo chmod 777 /var/log/authcopy.log

ls -l /var/log/auth*.log

-rwxrwxrwx 1 root root 391617 Jan 10 19:30 /var/log/authcopy.log

-rw-r----- 1 syslog adm 395465 Jan 10 20:13 /var/log/auth.log

databeata
  • 1
  • 6
  • Have you checked /var/logs/logstash? No error log there? Your output is a file plugin? – MrSimple Jan 15 '18 at 07:54
  • Logtash remember what files it has read and where it has stopped reading. So once logstash has read a file and it does not change, opening this file again will not output anything. See https://stackoverflow.com/a/25119894/6113627 – baudsp Jan 15 '18 at 13:02
  • @baudsp thanks, it worked, sincedb_path => "/dev/null" start_position => "beginning". – databeata Jan 17 '18 at 15:46

0 Answers0