Logstash-OSS with Opensearch Plugin Failed to Execute Action

OpenDistro
1

Hello,
I have an issue with the Logstash-OSS with Opensearch plugin. I keep getting the following error and it just loops in my terminal until I kill the process. I’m totally lost as to what could be causing the issue. According to the error the issue seems to be in the pipelines.yml file but I have compared what I have to the example in the pipelines.yml file, the documentation on the Opensearch and Elastic websites and even went as far as to look at the source code on Github and it matches up but I still get the error and the failed loop. Does anyone have any ideas to what I’m doing wrong?

Below is the DEBUG logs:

[2021-12-20T13:42:48,531][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ParNew"}
[2021-12-20T13:42:48,531][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ConcurrentMarkSweep"}
[2021-12-20T13:42:50,923][DEBUG][logstash.config.source.local.configpathloader] Skipping the following files while reading config since they don't match the specified glob pattern {:files=>["/home/user/logstash-7.16.1/config/conf.d", "/home/user/logstash-7.16.1/config/config", "/home/user/logstash-7.16.1/config/jvm.options", "/home/user/logstash-7.16.1/config/log4j2.properties", "/home/user/logstash-7.16.1/config/logstash-sample.conf", "/home/user/logstash-7.16.1/config/logstash.yml", "/home/user/logstash-7.16.1/config/startup.options"]}
[2021-12-20T13:42:50,924][DEBUG][logstash.config.source.local.configpathloader] Reading config file {:config_file=>"/home/user/logstash-7.16.1/config/pipelines.yml"}
[2021-12-20T13:42:50,925][DEBUG][logstash.agent           ] Converging pipelines state {:actions_count=>1}
[2021-12-20T13:42:50,927][DEBUG][logstash.agent           ] Executing action {:action=>LogStash::PipelineAction::Create/pipeline_id:main}
^C[2021-12-20T13:42:50,938][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 16, column 1 (byte 614) after ", :backtrace=>["/home/user/logstash-7.16.1/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/agent.rb:383:in `block in converge_state'"]}
[2021-12-20T13:42:50,942][WARN ][logstash.runner          ] SIGINT received. Shutting down.

Below is the snippet from the pipelines.yml:

# List of pipelines to be loaded by Logstash
#
# This document must be a list of dictionaries/hashes, where the keys/values are pipeline settings.
# Default values for omitted settings are read from the `logstash.yml` file.
# When declaring multiple pipelines, each MUST have its own `pipeline.id`.
#
# Example of two pipelines:
#
# - pipeline.id: test
#   pipeline.workers: 1
#   pipeline.batch.size: 1
#   config.string: "input { generator {} } filter { sleep { time => 1 } } output { stdout { codec => dots } }"
# - pipeline.id: another_test
#   queue.type: persisted
#   path.config: "/tmp/logstash/*.config"
- pipeline.id: syslog.hosts
  pipeline.workers: 1
  pipeline.output.workers: 1
  path.config: "/home/user/logstash-7.16.1/config/conf.d/03-syslog-input.conf"
- pipeline.id: syslog.switches
  pipeline.workers: 1
  pipeline.output.workers: 1
  path.config: "/home/user/logstash-7.16.1/config/conf.d/04-switches-input.conf"
  queue.type: persisted
- pipeline.id: beats
  pipeline.workers: 1
  pipeline.output.workers: 1
  path.config: "/home/user/logstash-7.16.1/config/conf.d/02-beats-input.conf"
  queue.type: persisted
# Available options:
#
#   # name of the pipeline
#   pipeline.id: mylogs

Below is one of the conf files, not posting all because the configs are more or less the same minus the obvious:

input {
  tcp {
    port => 5514
    type => syslog
  }
  udp {
    port => 5514
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  opensearch {
    hosts => ["https://localhost:9200"]
    ssl => true
    ssl_certificate_verification => false
    cacert => "/home/user/logstash-7.16.1/config/config/root-ca.pem"
    user => X
    password => X
    ilm_enabled => auto
    manage_template => false
    index => "logstash-hosts-%{+YYYY.MM.dd}"
  }
}

Server Info:
Opensearch 1.2.2
Dashboards 1.2.0
Logstash-OSS from Opensearch 7.16.1

2

The error says you have a mistake in your config file on line 16, which is the add_field line.

The correct syntax for add_field is:

       add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }

Does that fix it?

3

I do not think the error is talking about is for the 03-syslog-input.conf file but rather the pipelines.yml file. If I comment out the portions in the pipelines.yml file related to the 03-syslog-input.conf pipeline, the issue still persists and then the “error” references line 20.

New pipelines.yml file after changes mentioned above:

# List of pipelines to be loaded by Logstash
#
# This document must be a list of dictionaries/hashes, where the keys/values are pipeline settings.
# Default values for omitted settings are read from the `logstash.yml` file.
# When declaring multiple pipelines, each MUST have its own `pipeline.id`.
#
# Example of two pipelines:
#
# - pipeline.id: test
#   pipeline.workers: 1
#   pipeline.batch.size: 1
#   config.string: "input { generator {} } filter { sleep { time => 1 } } output { stdout { codec => dots } }"
# - pipeline.id: another_test
#   queue.type: persisted
#   path.config: "/tmp/logstash/*.config"
# - pipeline.id: syslog.hosts
#   pipeline.workers: 1
#   pipeline.output.workers: 1
#   path.config: "/home/user/logstash-7.16.1/config/conf.d/03-syslog-input.conf"
 - pipeline.id: syslog.switches
   pipeline.workers: 1
   pipeline.output.workers: 1
   path.config: "/home/user/logstash-7.16.1/config/conf.d/04-switches-input.conf"
   #   queue.type: persisted
 - pipeline.id: beats
   pipeline.workers: 1
   pipeline.output.workers: 1
   path.config: "/home/user/logstash-7.16.1/config/conf.d/02-beats-input.conf"
   queue.type: persisted

The new error:

[2021-12-20T17:51:24,025][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 20, column 1 (byte 790) after ", :backtrace=>["/home/user/logstash-7.16.1/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/home/user/logstash-7.16.1/logstash-core/lib/logstash/agent.rb:383:in `block in converge_state'"]}
[2021-12-20T17:51:25,267][WARN ][logstash.runner          ] SIGINT received. Shutting down.

Disclaimer I am coming from a Logstash 7.10.2 install where all of the current configs work fine. I’m aware that things changed in regard to Grok filter “syntax” and I may just be misunderstanding the error?

4

Hi, the error definitely seems complaining about not being able to parse the logstash pipeline .conf files. I have validated the pieline you posted earlier and it actually says it is fine so I suspect it may be in your other .conf files?

Try running logstash --config.test_and_exit -f /home/user/logstash-7.16.1/config/conf.d/*.conf to see if logstash can parse it correctly aside from your pipelines.yml file. If it says an error like you posted above then try commenting out certain lines of your config to try to locate it. The line number may also be helpful.

5

Ok, I got the below error when I ran the command you suggested. I’m guessing you are right, this issue is with my .conf files. Thank you for your help so far but I’m going to have to pick it up again tomorrow. I’ll take another look at the docs for the input files for Logstash and see what adjustments I can make. I’ll let you know if I find anything. Thanks again.

ERROR: Unknown command '/home/user/logstash-7.16.1/config/conf.d/03-syslog-input.conf'
6

Hmm, that didn’t work, that’s my mistake. I think you need to run it on the directory i.e. logstash --config.test_and_exit -f /home/user/logstash-7.16.1/config/conf.d/, or run it on individual conf files one at a time.

Without seeing more of your config there’s not much more help I can give. Check your brackets {} are matching, check your quote marks " match. Logstash will tell you the line number of the parse error (if all the files were concatenated together) If you still can’t see it, try commenting out sections one at a time until it passes.

1 Like
7

Ok, running against the individual config files seems to give a little bit more info however, still vague in my opinion. Getting this same error against every config file in the conf.d directory.

[2021-12-21T09:00:14,964][FATAL][logstash.runner          ] The given configuration is invalid. Reason: Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.

I think I found it, I need to fix this:

[2021-12-21T09:06:30,357][ERROR][logstash.outputs.opensearch] Unknown setting 'ilm_enabled' for opensearch
8

Yes, the opensearch output doesn’t have that setting in the config. Hope that removing that fixes it for you.

9

Yes, commenting it out passes validation but I’m curious to know if there is an “Opensearch output” alternative to the same setting or if it is truly no longer needed? I’ll roll with it commented out for now and investigate the docs some more after I get Logstash going. Thank you for your assistance again.

10

I believe that the ilm_enabled in the elasticsearch output is an override to the default setting that detects whether ilm is available. Since it is always available in OpenSearch I’m guessing that this is no longer necessary?

I can see it was removed in the code here but I can see no explanation of why this setting is now removed Remove iml files · opensearch-project/logstash-output-opensearch@70d61c0 · GitHub

11

Of course, ILM is an xpack thing so it won’t be present in OpenSearch.

12

Ok, just as an update if anyone else comes across this. My issues with Logstash not starting were caused by three issues that are listed below. @jong Thank you for your assistance, that --config.test_and_exit command helped out alot in my troubleshooting and I wish I would’ve known about it sooner.

  1. Since I was coming from a Logstash-OSS 7.10.2 install, I had ilm_enabled which needs to be removed when using Opensearch’s version of Logstash.

  2. My pipelines.yml file needed the pipeline.output.workers: 1 line removed as it is not an allowed setting.

  3. When starting Logstash, I was specifying the pipelines.yml file using the -f switch which is for specifying individual “pipeline” config files and not meant for pointing to an actual pipelines.yml.

After doing the above three tasks, I created a Systemd service file to start Logstash using Systemd instead of running a command as a non-root user and staying logged into the server til the end of time. The goal is to eventually move over to a Docker deployment making updating/upgrading and general lifecycle maintenance of Opensearch easier.

1 Like