logstash crashes with error

[denmark111]

Describe the bug While trying to make it work as described in HOWTO guide, I noticed that logstash crashes repeatedly with error below

To Reproduce Steps to reproduce the behavior: Install ELK as described in the guide.

Screenshots [ERROR LOG] logstash | Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console logstash | [INFO ] 2020-04-18 18:01:51.803 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.6.1"} logstash | [INFO ] 2020-04-18 18:01:57.122 [Converge PipelineAction::Create

] Reflections - Reflections took 89 ms to scan 1 urls, producing 20 keys and 40 values logstash | [ERROR] 2020-04-18 18:01:58.014 [Converge PipelineAction::Create

] geoip - Invalid setting for geoip filter plugin: logstash | logstash | filter { logstash | geoip { logstash | # This setting must be a path logstash | # File does not exist or cannot be opened /usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb logstash | database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb" logstash | ... logstash | } logstash | } logstash | [ERROR] 2020-04-18 18:01:58.018 [Converge PipelineAction::Create

] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.(CompiledPipeline.java:103)", "org.logstash.execution.JavaBasePipelineExt.initialize(JavaBasePipelineExt.java:60)", "org.logstash.execution.JavaBasePipelineExt$INVOKER$i$1$0$initialize.call(JavaBasePipelineExt$INVOKER$i$1$0$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:837)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1169)", "org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:84)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:361)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:86)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:73)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:332)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:86)", "org.jruby.RubyClass.newInstance(RubyClass.java:915)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:332)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:86)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:540)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:361)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:92)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:191)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:178)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:208)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:396)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:205)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:325)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:116)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:143)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:79)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:71)", "org.jruby.runtime.Block.call(Block.java:125)", "org.jruby.RubyProc.call(RubyProc.java:274)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.base/java.lang.Thread.run(Thread.java:834)"]} logstash | warning: thread "Converge PipelineAction::Create

" terminated with exception (report_on_exception is true): logstash | LogStash::Error: Don't know how to handle Java::JavaLang::IllegalStateException for PipelineAction::Create<main> logstash | create at org/logstash/execution/ConvergeResultExt.java:109 logstash | add at org/logstash/execution/ConvergeResultExt.java:37 logstash | converge_state at /usr/share/logstash/logstash-core/lib/logstash/agent.rb:339 logstash | [ERROR] 2020-04-18 18:01:58.058 [Agent thread] agent - An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle Java::JavaLang::IllegalStateException for PipelineAction::Create<main>", :backtrace=>["org/logstash/execution/ConvergeResultExt.java:109:in create'", "org/logstash/execution/ConvergeResultExt.java:37:inadd'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:339:in block in converge_state'"]} logstash | [FATAL] 2020-04-18 18:01:58.088 [LogStash::Runner] runner - An unexpected error occurred! {:error=>#<LogStash::Error: Don't know how to handleJava::JavaLang::IllegalStateExceptionforPipelineAction::Create

>, :backtrace=>["org/logstash/execution/ConvergeResultExt.java:109:increate'", "org/logstash/execution/ConvergeResultExt.java:37:in add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:339:inblock in converge_state'"]} logstash | [ERROR] 2020-04-18 18:01:58.112 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

Operating System (please complete the following information):

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"): Linux 4.15.0-96-generic x86_64 NAME="Ubuntu" VERSION="18.04.4 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.4 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic

• Version of Docker (docker -v): Docker version 19.03.8, build afacb8b7f0

• Version of Docker-Compose (docker-compose -v): docker-compose version 1.17.1, build unknown

Elasticsearch, Logstash, Kibana (please complete the following information):

**Service logs

• docker-compose logs pfelk01
• docker-compose logs pfelk02
• docker-compose logs pfelk03
• docker-compose logs logstash
• docker-compose logs kibana

Additional context Add any other context about the problem here.

[denmark111]

Seems like GeoLite2-ASN.mmdb is missing since I only see GeoLite2-City.mmdb and GeoLite2-Country.mmdb in /usr/share/GeoIP directory with additional GeoIP.dat, GeoIPv6.dat.

[a3ilson]

It appears the location of the MaxMind files cannot be located. You'll need to modify your GeoIP.conf file (/etc/GeoIP.conf) and amend line 13 as follows: EditionIDs GeoLite2-City GeoLite2-Country GeoLite2-ASN Next, run sudo geoipupdate -d /usr/share/GeoIP/

That should pull the required MaxMind files. Restart the docker and it should work. I'll update the instructions. Thanks for the feedback!

[denmark111]

Thanks for your quick feedback! Modifying GeoIP.conf did the trick!!