Logstash with Elasticsearch

Question

I am trying to connect Logstash with Elasticsearch but cannot get it working.

Here is my logstash conf:

input {
  stdin {
    type => "stdin-type"
  }

  file {
    type => "syslog-ng"

    # Wildcards work, here :)
    path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
  }
}

output {
  stdout { }
  elasticsearch{
        type => "all"
        embedded => false
        host => "192.168.0.23"
        port => "9300"
        cluster => "logstash-cluster"
        node_name => "logstash"
        }
}

And I only changed these details in my elasticsearch.yml

cluster.name: logstash-cluster
node.name: "logstash"
node.master: false
network.bind_host: 192.168.0.23
network.publish_host: 192.168.0.23
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["localhost"]

With these configurations I could not make Logstash connect to ES. Can someone please suggest where I am going wrong?

Answer 1

First, I suggest matching your "type" attributes up. In your input you have 2 different types, and in your output you have a type that doesn't exists in any of your inputs.

For testing, change your output to:

output {
stdout { }
elasticsearch{
    type => "stdin-type"
    embedded => false
    host => "192.168.0.23"
    port => "9300"
    cluster => "logstash-cluster"
    node_name => "logstash"
    }
}

Then,have you created an index on your ES instance?

From the guides I've used, and my own experience (others may have another way that works) I've always used an index so that when I push something into ES, I can use the ES API and quickly check if the data has gone in or not.

Another suggestion would be to simply run your Logstash forwarder and indexer with debug flags to see what is going on behind the scenes.

Can you connect to your ES instance on 127.0.0.1? Also, try to experiment with the port and host. As a rather new user of the Logstash system, I found that my understanding at the start went against the reality of the setup. Sometimes the host IP isn't what you think it is, as well as the port. If you are willing to check your network and identify listening ports and IPs, then you can sort this out, otherwise do some intelligent trial and error.

I highly recommend this guide as a comprehensive starting point. Both points I've mentioned are (in)directly touched upon in the guide. While the guide has a slightly more complex starting point, the ideas and concepts are thorough.