0

For testing, I created a file in my home directory:

touch /home/testuser/test.log

I use td-agent to deliver logs to Elasticsearch (EFK).

This is my test configuration in td-agent.conf:

<source>
  @type tail
  path /home/testuser/test.log
  read_from_head true
  tag test.**
  <parse>
    @type none
  </parse>
</source>

<filter *.**>
  @type record_transformer
  enable_ruby
  <record>
    hostname "#{Socket.gethostname}"
  </record>
</filter>

<match test.**>
  @type elasticsearch
  host .....
  port .....
  user .....
  password .....
  logstash_format true
  logstash_prefix test
  flush_interval 1s
</match>

Then I started the agent. There are no errors in the agent's logs. It is written that the agent monitors the specified file.

After that, I started filling in the log:

echo "123" >> test.log
echo "456" >> test.log
echo "789" >> test.log

No new entries have appeared in the td-agent logs. In Kibana, the index "test- *" does not appear.

What am I doing wrong?

Azeem
  • 11,148
  • 4
  • 27
  • 40
Alexey Nakhimov
  • 2,673
  • 8
  • 34
  • 49
  • For debugging purposes, it's better to use `stdout` output plugin before sending logs out to ElasticSearch. According to the documentation of [`read_from_head`](https://docs.fluentd.org/input/tail#read_from_head), "When this is `true`, `in_tail` tries to read a file during startup phase. If target file is large, it takes long time and starting other plugins isn't executed until reading file is finished." I guess that your file is empty on start, right? Otherwise, you'd see its content on startup. – Azeem Aug 05 '20 at 01:42
  • Relevant: https://docs.fluentd.org/input/tail#in_tail-doesnt-start-to-read-the-log-file-why – Azeem Aug 05 '20 at 01:44
  • I tried to specify a small, non-empty file - nothing appeared either. Also tried specifying a 2 megabyte `catalina.out` file from Tomcat - also without result. – Alexey Nakhimov Aug 05 '20 at 06:40
  • Could you please try with a minimal configuration? For example, tail a file that grows every second and its output on stdout. I believe there's a similar question asked recently. Click on flientd tag and you'll see the questions. – Azeem Aug 05 '20 at 08:18
  • Output to stdout with td-agent? – Alexey Nakhimov Aug 05 '20 at 10:05
  • Yes. Just to verify that `tail` works and it forwards logs to filter and then they are routed to stdout. You'll be sure that this part is working fine. Then, you can proceed with ElasticSearch. – Azeem Aug 05 '20 at 10:08
  • Are you using kubernetes container and keeping the logs? – Anurag Jain Aug 08 '20 at 11:01
  • @Azeem i'm trying stdout: `` `@type stdout` `` In log all good: 2020-08-09 13:06:15 +0400 [info]: #0 starting fluentd worker pid=178463 ppid=178460 worker=0 2020-08-09 13:06:15 +0400 [info]: #0 following tail of /home/nahimov/test.log 2020-08-09 13:06:15.298175189 +0400 test.home.nahimov.test.log: {"message":"123","hostname":"nahimov-laptop"} 2020-08-09 13:06:15.298187063 +0400 test.home.nahimov.test.log: {"message":"456","hostname":"nahimov-laptop"} – Alexey Nakhimov Aug 09 '20 at 09:10
  • @AlexeyNakhimov: Are you seeing logs now? The log file `/home/testuser/test.log` is empty at startup or are there any logs in it? Did you test with `read_from_head false` and manually pushing logs to it using `echo` command or some other way? Did you try with a test file other than this one? – Azeem Aug 09 '20 at 09:14
  • @AnuragJain no. Native `td-agent` and flie in hoast system – Alexey Nakhimov Aug 09 '20 at 09:15
  • @AlexeyNakhimov: As per your edited comment, the logs are coming up, right? – Azeem Aug 09 '20 at 09:16
  • 1
    @Azeem I found problem! It is parameter `logstash_format true`. If I remove this parameter, then the contents of the `test.log` file are passed to Elasticsearch. But in this case the `logstash_prefix test` parameter does not work, the index has the name `fluentd` and it does not look like, for example, the syslog index in Kibana: `system-2020.08.08` – Alexey Nakhimov Aug 09 '20 at 10:08
  • 1
    @AlexeyNakhimov: Good going! I believe that you're looking for [`index_name`](https://docs.fluentd.org/output/elasticsearch#index_name-optional). – Azeem Aug 09 '20 at 10:21
  • @Azeem Yes! It's work! Thanks! – Alexey Nakhimov Aug 09 '20 at 10:43
  • @AlexeyNakhimov: Awesome! :) And, welcome! You might want to post an answer for this to help others facing a similar issue. Cheers! – Azeem Aug 09 '20 at 10:47

0 Answers0