search

driskell / log-courier

The Log Courier Suite is a set of lightweight tools created to ship and process log files speedily and securely, with low resource usage, to Elasticsearch or Logstash instances.
Other
419 stars 107 forks source link

log-courier/logstash plugin crashes when log-courier.conf on the log-shipper is configured with "fields": { ..., "tags": "custom_tag" #118

Closed rogerthat closed 9 years ago

rogerthat commented 9 years ago

i have the logshipper configure as follows:

...
  "files": [
    {
      "paths": [
        "/var/log/messages",
        "/var/log/syslog",
        "/var/log/daemon.log"
      ],

      "fields": { "type": "syslog", "tags": "my_tag" }
    }, {
      "paths": [
        "/var/log/apache/*access.log"
      ],
      "fields": { "type": "apache_access", "tags": "my_tag"  }
    }, {
      "paths": [
        "/var/log/auth.log"
      ],
      "fields": { "type": "auth_log", "tags": "my_tag"  }
    }, {
...

logstash/log-courier - input - plugin crashes with the following message:

{:timestamp=>"2015-02-19T20:59:10.425000+0100", :message=>"A plugin had an unrecoverable error. Will restart this plugin.\n  Plugin: <LogStash::Inputs::Courier ssl_certificate=>\"/etc/logstash/ssl/logstash-forwarder.crt\", ssl_key=>\"/etc/logstash/ssl/logstash-forwarder.key\", tags=>[\"logstash_fw\"], host=>\"0.0.0.0\", transport=>\"tls\">\n  Error: can't convert Array into String", :level=>:error, "plugin"=>"input/courier", "port"=>1514}
{:timestamp=>"2015-02-19T20:59:11.428000+0100", :hint=>"Unknown error, shutting down", :level=>:warn, :message=>"undefined method `nil' for #<Cabin::Channel:0x43838e5e>", :exception=>NoMethodError, :backtrace=>["elk/logstash-1.4.2/vendor/bundle/jruby/1.9/gems/log-courier-1.3.1.g1d79349/lib/log-courier/server_tcp.rb:137:in `run'", "org/jruby/RubyKernel.java:1521:in `loop'", "/elk/logstash-1.4.2/vendor/bundle/jruby/1.9/gems/log-courier-1.3.1.g1d79349/lib/log-courier/server_tcp.rb:128:in `run'", "/elk/logstash-1.4.2/vendor/bundle/jruby/1.9/gems/log-courier-1.3.1.g1d79349/lib/log-courier/server.rb:73:in `run'"], "plugin"=>"input/courier", "port"=>1514}

when i'm configuring it the following way everything works fine:

  "files": [
    {
      "paths": [
        "/var/log/messages",
        "/var/log/syslog",
        "/var/log/daemon.log"
      ],

      "fields": { "type": "syslog", "my_tag": "yes }
    }, {
      "paths": [
        "/var/log/apache/*access.log"
      ],
      "fields": { "type": "apache_access", "my_tag": "yes  }
    }, {
      "paths": [
        "/var/log/auth.log"
      ],
      "fields": { "type": "auth_log", "my_tag": "yes  }
    }, {
...

it seems, i cannot use "tags" as field - designator?

driskell commented 9 years ago

If you use tags as an array it will probably work.

"fields": { "type": "auth_log", "tags": [ "yes" ] }

I'll look into why the string is causing a crash though, I wouldn't've expected it to.

rogerthat commented 9 years ago

i'll test it again with the array

driskell commented 9 years ago

@rogerthat I fixed second issue (unknown error) in develop branch.

I did a PR #120 which fixes the array conversion error. It converts string tags automatically into an array (logstash requires it to be an array). I just need to do some tests before I can merge it, but you're welcome to try it out, it should have the above unknown error fix in it too.

rogerthat commented 9 years ago

i'll test both, ["tags"] with the old version and the new version and report back later, think to have it done today

driskell commented 9 years ago

Thanks. Let me know if it works well. I aim to get some tests written first and then merge the fix - so maybe a week.