The example seems simple enough, however I can't seem to get it to read from the nginx log file.

I spun up a vagrant install and created this simple config test.conf:

input://file:///var/log/nginx/access.log?start_index=0&use_tail=1 
output://file:///vagrant/node-logstash/output.log 

Then I ran the bin:

root@vagrant-ubuntu-trusty-64:/vagrant/node-logstash/node-logstash# bin/node-logstash-agent -f /vagrant/node-logstash/test.conf 

While I see node-logstash running and waiting, the file is never created.

[Fri, 02 Jan 2015 19:09:58 GMT] NOTICE Starting node-logstasth-agent 0.0.3 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Max http socket 100 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Loading config : 3 urls 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Initializing filter AddHost 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Initializing filter AddTimestamp 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Initializing filter AddVersion 
[Fri, 02 Jan 2015 19:09:58 GMT] INFO Config loaded. 

^C[Fri, 02 Jan 2015 19:11:39 GMT] INFO SIGINT received. 
[Fri, 02 Jan 2015 19:11:39 GMT] INFO Closing agent 
[Fri, 02 Jan 2015 19:11:39 GMT] INFO Quitting. 

Could somebody help me work out what I'm missing to get my install working please?
I'm running Ubuntu 12.04, Node v0.10.9 and NPM 1.1.69. When I run npm install I get the following errors in my npm-debug.log.

....
172 info install [email protected] into /home/chris/Node/logstash
173 info install [email protected] into /home/chris/Node/logstash
174 info install [email protected] into /home/chris/Node/logstash
175 info install [email protected] into /home/chris/Node/logstash
176 info installOne [email protected]
177 error TypeError: Arguments to path.resolve must be strings
177 error at Object.exports.resolve (path.js:313:15)
177 error at Object.exports.relative (path.js:370:20)
177 error at installOne_ (/home/chris/local/lib/node_modules/npm/lib/install.js:693:26)
177 error at installOne (/home/chris/local/lib/node_modules/npm/lib/install.js:621:3)
177 error at /home/chris/local/lib/node_modules/npm/lib/install.js:508:9
177 error at /home/chris/local/lib/node_modules/npm/node_modules/slide/lib/async-map.js:54:35
177 error at Array.forEach (native)
177 error at /home/chris/local/lib/node_modules/npm/node_modules/slide/lib/async-map.js:54:11
177 error at Array.forEach (native)
177 error at asyncMap (/home/chris/local/lib/node_modules/npm/node_modules/slide/lib/async-map.js:53:8)
178 error If you need help, you may report this log at:
178 error http://github.com/isaacs/npm/issues
178 error or email it to:
178 error [email protected]
179 error System Linux 3.2.0-45-generic
180 error command "node" "/home/chris/local/bin/npm" "install"
181 error cwd /home/chris/Node/logstash/bin
182 error node -v v0.10.9
183 error npm -v 1.1.69
184 verbose exit [ 1, true ]

Thanks very much

Ive node-logstash running watching only two files and outputting the data to Elasticsearch but it eats nearly 1GB Ram?

See:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     16547  0.0  2.4 969704 24644 ?        Sl   15:03   0:00 node bin/node-logstash-agent --config_dir=/etc/logstash

There's a trailing newline in dists/debian/DEBIAN/control that breaks package creation.

Deleting it fixed my problem

would it be relevant for you to include a suggested elasticsearch mapping? it would save some footwork.

thanks!

Is there a way to define an if condition on a filter?

to run it only in case the value an existing field equals something.

When trying to restart the process to update the config I try and CTRL-C the process or even kill PID the process and it doesnt end because the sockets are still open. I eventually have to kill -9 PID which terminates the process.

Can a config reload option be available so that it does not require a process restart?

or somehow force the sockets to close when quitting?

When we configure a filter with a builtin pattern that doesn't exist, there are no more logs sent to node-logstash

Obviously file input can be null instead of a string. This appears to happen when a process starts writing to it. I am using the current state of the master branch.

Wed, 23 Apr 2014 14:21:06 GMT] ERROR TypeError: Cannot call method 'match' of null
    at Filter.filter (/path/node-logstash/lib/lib/file_filter.js:9:19)
    at InputFile.monitorFile (/path/node-logstash/lib/inputs/input_file.js:29:54)
    at InputFile.<anonymous> (/path/node-logstash/lib/inputs/input_file.js:97:12)
    at FSWatcher.EventEmitter.emit (events.js:117:20)

Assuming an Elasticsearch system provides already an Alias and manages the time based index behind, the mechnism to specify index_prefix and generating date suffix might cause errors (and it did as time based index exists already or might change every hour instead of every day ...).

I made a local patch to specify "index" as parameter and then it don't uses index_prefix + date. Then node-logstash is using just the index name (alias in that case) and everything works fine.

Shall I make a pull request or would you like to provide it. My quick solution was to adapt output_elasticsearch.js instead of elastic_search_helper.js (which might be more beautiful, but I could not find out how to access config obejct there or would need to pass it).

• elasticsearch river as output
• elastcsearch_zmq is too old to support zmq 3.4.x

I run node-logstash with the following parameters:
$ ./node-logstash-agent input://file:///tmp/foo.log output://tcp://host.example.com:5001

On the receiving side, logstash (not node-logstash) configured with "tcp" input cannot parse that content. The reason is that currently logstash can only parse newline-separated logs, because of the JSON-parsing library it uses (no Ruby library is capable of parsing JSON as a stream).

Here is a sample of what node-logstash sends over:

 {"message":"xxx","host":"hostA","@timestamp":"2013-12-19T00:09:03.995Z","@version":"1"}{"message":"yyy","path":"/tmp/logbench/1.log","host":"hostA","@timestamp":"2013-12-19T00:09:03.995Z","@version":"1"}{"message":"zzz", ... }

Strictly speaking, this is a logstash bug. However, it's not likely to be fixed soon, so in the meantime it would be nice to work around it by inserting a newline between traces, which doesn't introduce any problem anyway since it's JSON.

While I do see the beauty of

input://file:///var/log/nginx/access.log

or

output://zeromq://tcp://192.168.1.1:5555

and

output://zeromq://tcp://192.168.1.1:5555

Is there a reason for not using JSON:

{
  "input": {
    "file": ["/var/log/nginx/access.log", "/var/log/tamere.log"],
    "zeromq": "tcp://192.168.1.1:5555"
  },
  "output": {
    "file": "/var/log/tok/tbath.log"     
  },
  "filters": {}
}

When testing back pressure I get the following errors in node-logstash logs:

[Mon, 10 Feb 2014 16:15:54 GMT] WARNING Zmq socket in alarm tcp://192.168.56.231:5556 current queue size 1001
[Mon, 10 Feb 2014 16:15:54 GMT] WARNING Alarm on for module tcp://192.168.56.231:5556 number of alarms 1
[Mon, 10 Feb 2014 16:15:54 GMT] WARNING Alarm, closing inputs plugins
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/haproxy/haproxy_1.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/haproxy
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/haproxy/haproxy_1.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/haproxy
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Removing empty listener on /var/log/haproxy
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 23
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /opt/logstash/shared/log/logstash.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /opt/logstash/shared/log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /opt/logstash/shared/log/logstash.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /opt/logstash/shared/log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Removing empty listener on /opt/logstash/shared/log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 24
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/mongodb/mongodb.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/mongodb
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/mongodb/mongodb.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/mongodb
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Removing empty listener on /var/log/mongodb
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 25
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/nginx/access.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/nginx/access.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 26
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/nginx/error.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/nginx/error.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 27
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/nginx/access_put.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/nginx/access_put.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Removing empty listener on /var/log/nginx
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 28
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing input file /var/log/zookeeper/zookeeper.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/zookeeper
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing monitoring for /var/log/zookeeper/zookeeper.log
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Remove watcher on dir /var/log/zookeeper
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Removing empty listener on /var/log/zookeeper
[Mon, 10 Feb 2014 16:15:54 GMT] INFO Closing file 29
[Mon, 10 Feb 2014 16:15:54 GMT] INFO All plugins closed
[Mon, 10 Feb 2014 16:15:54 GMT] ERROR Error reading file 26 : { [Error: EBADF, read] errno: 9, code: 'EBADF' }
[Mon, 10 Feb 2014 16:15:54 GMT] ERROR Error reading file 23 : { [Error: EBADF, read] errno: 9, code: 'EBADF' }

And after Logstash server is available again, node-logstash does not restart listening for file changes.

It would be cool if one could specify a password for redis auth. It's just an auth <password> command to be sent at the beginning of the connection.

I have a weird problem (with a workaround hack, see below) at my client. Changes that the logging system on JBoss make to my log files are not caught by the fs.watch(dir) function, hence I get no input in node-logstash. I get the feeling this could be Java file writing that bypasses the Windows stuff that sends events via ReadDirectoryChangesW, but I have no backing for this (Google wasn't my friend today...).

So, I hacked a bit in directory_watcher.js and added an fs.watchFile(...) on each of the files in dir, and every 5 sec (configurable polling interval on watchFile) I get an event. Interestingly, this triggers the fs.watch(...) functionality, so I don't need to do anything in the fs.watchFile(...) handler function.

Has anyone seen anything like this? Any better workarounds?

304 log line have - in byte sent field

my filter:
filter://grok://?grok=%{SYSLOGTIMESTAMP:sys_log_time} %{DATA:message}

How can I define that sys_log_time is parsed and used in the @timestamp field?

I have one scenario that I don't know how to achieve.

From nginx log, I would like to increment the metrics with the key 404 in statsd for all the line containing the status 404.

So,
I tried that :

output://statsd://localhost:8125?type=nginx&metric_type=increment&metric_key=404

but I don't know where I can say : only if status=404.
I think that I have to create a filter with the regex status=404.

But I don't know how I can say that the output is only for the request matching the previous filter. Should I use the type parameter for that?

Howdy!

Just wanted to let you know that the logstash 'json event schema' is going to change (for the better, I hope!) in a few weeks/months

The specific details of this are discussed here: https://logstash.jira.com/browse/LOGSTASH-675

I intend to support the old schema for some time, but use the new one as the default (eventually). If you have specific concerns, I would love to hear them, but otherwise this is just an informational notice :)

Thanks for helping make the logstash ecosystem better!

Tried to use a \n as a delimiter like this

filter://split://?delimiter=\n

the split filter didn't like that when getting indexOf(this.delimiter), if I change it to indexOf('\n') the newline split works correctly

Default moment JS formating does not contain milliseconds

Related to #15

Hello,
I am trying to understand how to use node-logstash correctly.

Imagine that you have several log streams on a box that you want to stream separately (nginx, apache,..).

do you need to launch one logstash agent per [input,filter,output] stream or is there a way to have an agent monitor and output several streams at the same time ?

Thanks
Jerome

Howdy,

Preface... yes I know - it's windows! But this is a great module for shipping logs and I'd hate to see Windows not get some of the love.

So the issue is that once installed, when firing up bin\node-logstash-agent I get the following output.

C:\ProgramData\node-logstash>node bin\node-logstash-agent
[Mon, 07 Apr 2014 22:48:42 GMT] NOTICE Starting node-logstasth-agent 0.0.3
[Mon, 07 Apr 2014 22:48:42 GMT] INFO Max http socket 100
[Mon, 07 Apr 2014 22:48:42 GMT] INFO Loading config : 3 urls
[Mon, 07 Apr 2014 22:48:42 GMT] ERROR Unable to load urls from command line
[Mon, 07 Apr 2014 22:48:42 GMT] ERROR Error: Cannot find module '.\filters\filter_add_host'
at Function.Module._resolveFilename (module.js:338:15)
at Function.Module._load (module.js:280:25)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at LogstashAgent.configure (C:\ProgramData\node-logstash\lib\agent.js:123:18)
at LogstashAgent.start_modules (C:\ProgramData\node-logstash\lib\agent.js:197:8)
at LogstashAgent.start_filters (C:\ProgramData\node-logstash\lib\agent.js:241:8)
at LogstashAgent. (C:\ProgramData\node-logstash\lib\agent.js:183:10)
at LogstashAgent.start_modules (C:\ProgramData\node-logstash\lib\agent.js:194:12)
at LogstashAgent.start_outputs (C:\ProgramData\node-logstash\lib\agent.js:256:8)

If I hack around with line 123 in agent.js....

var module = require('.' + path.sep + path.join(directory, module_name)).create();

I can solve the issue. Im not a node expert, but is there a way of configuring the agent to be able to pass through the path for the require on this line?

Happy to provide a patch with some guidance.

To be compatible with logstash 1.2.1

Hi,

I get the following error when i startup node-logstash for parsing apache logs

./bin/node-logstash-agent --log_level=debug --config_file=server.conf

[Wed, 19 Dec 2012 16:11:12 GMT] INFO Changing log_level debug
[Wed, 19 Dec 2012 16:11:12 GMT] NOTICE Starting node-logstasth-agent 0.0.1
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Max http socket 100
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Loading config file : server.conf
[Wed, 19 Dec 2012 16:11:12 GMT] INFO File loaded, 3 urls found
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Loading config : 5 urls
[Wed, 19 Dec 2012 16:11:12 GMT] DEBUG Processing url filter://add_source_host://
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Initializing filter AddSourceHost
[Wed, 19 Dec 2012 16:11:12 GMT] DEBUG Processing url filter://add_timestamp://
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Initializing filter AddTimestamp
[Wed, 19 Dec 2012 16:11:12 GMT] DEBUG Processing url input://zeromq://tcp://0.0.0.0:5555
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Initializing input Tcp
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Start listening on zeromq tcp:///0.0.0.0:5555
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Zeromq ready on tcp:///0.0.0.0:5555
[Wed, 19 Dec 2012 16:11:12 GMT] DEBUG Processing url filter://regex://?load_config=http_combined
[Wed, 19 Dec 2012 16:11:12 GMT] INFO Initializing filter Regex
[Wed, 19 Dec 2012 16:11:12 GMT] ERROR Unable to load urls : Error: Error while initializing module regex : TypeError: Cannot call method 'split' of undefined

server.conf

input://zeromq://tcp://0.0.0.0:5555
filter://regex://?load_config=http_combined
output://elasticsearch://ipaddr:9200

Anyclues if i am missing something?

Regards,
Kevin

Regroup log lines, eg java stack trace, or rails logs

I found a serious BUG, my server is LOGSTASH1.4.2 node-logstash do clients to send logs custom logs file,when restart the logstash server,the tcp connection will be lost
[Tue, 05 Aug 2014 15:19:27 GMT] NOTICE Starting node-logstasth-agent 0.0.3
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Max http socket 100
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Loading config files from : ./config/
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Files loaded from directory, 2 urls found
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Loading config : 5 urls
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Initializing output Tcp
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Start output to tcp 61.174.8.3:514
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Initializing filter AddHost
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Initializing filter AddTimestamp
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Initializing filter AddVersion
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Initializing input File
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Start input on file /home/wwwlogs/access.log
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Parent directory exists /home/wwwlogs for reading /home/wwwlogs/access.log
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Config loaded.
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Start input file /home/wwwlogs/access.log
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Starting monitoring /home/wwwlogs/access.log
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Watching dir /home/wwwlogs for file access.log
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Create watcher for dir /home/wwwlogs
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Add watcher on dir /home/wwwlogs listeners 1
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Add watcher on dir /home/wwwlogs listeners 2
[Tue, 05 Aug 2014 15:19:27 GMT] INFO Start reading /home/wwwlogs/access.log at end fd 11
[Tue, 05 Aug 2014 15:22:18 GMT] ERROR [output_tcp] output tcp to 61.174.8.3:514 start failing: Error: connect ECONNREFUSED

And do not automatically go to reconnect, only to restart。

myconfig:

input://file:///home/wwwlogs/access.log
output://tcp://192.168.8.100:514

Hello,

I have been receiving forged requests on my nginx server. The log line is along the line of :

202.53.8.82 - - [13/May/2014:18:43:45 +0000] "" 400 0 "-" "-"

As you can see, the $request is empty with "" instead of "METHOD .."

It seems that node-logstash takes the line into consideration as beeing an event, but does not parse the data (the IP is not extracted for example).

would you accept a PR in log_combined and vhost_log_combined replacing

"([^"]+)" by "([^"]*)"

thus accepting to extract data from the log line even when the $request is empty ?

Thanks

Am I doing this wrong maybe?

input://file:///data/logs/search.log
output://elasticsearch://localhost:9200

search.log

{"client":"127.0.0.1","level":"info","message":"my message","timestamp":"2014-11-01T11:37:43.930Z"}

This results in the json landing escaped in the message column in ES.

If I add the following config:

input://file:///data/logs/search.log
filter://json_fields://
output://elasticsearch://localhost:9200

It disappears and none of the variables are read apart from message. I take it that it is due to the message:"my message" however, shouldn't the other properties appear anyways?

Something in the recent commits seems to have introduced a problem with redis channel support. No more messages are forwarded anymore.

The offending comit appears to be d852c84.

EDIT: Specifying a method is now mandatory it seems. Wouldn't it make sense to have some other name than channel for lists? Something likey key maybe?

possible EventEmitter memory leak detected. 11 listeners added. Use emitter.setMaxListeners() to increase limit.

Hi.

I am trying to setup node-logstash on centos6 and has install node v0.8.15

I get the following error during setup:

npm http GET https://registry.npmjs.org/wordwrap
make: Entering directory /root/node_modules/node-logstash/node_modules/zmq/build' CXX(target) Release/obj.target/binding/binding.o ../binding.cc: In static member function ‘static v8::Handle<v8::Value> zmq::Socket::GetSockOpt(const v8::Arguments&)’: ../binding.cc:395: error: ‘ZMQ_HWM’ was not declared in this scope ../binding.cc:401: error: ‘ZMQ_SWAP’ was not declared in this scope ../binding.cc:404: error: ‘ZMQ_MCAST_LOOP’ was not declared in this scope ../binding.cc: In static member function ‘static v8::Handle<v8::Value> zmq::Socket::SetSockOpt(const v8::Arguments&)’: ../binding.cc:438: error: ‘ZMQ_HWM’ was not declared in this scope ../binding.cc:443: error: ‘ZMQ_SWAP’ was not declared in this scope ../binding.cc:446: error: ‘ZMQ_MCAST_LOOP’ was not declared in this scope /usr/local/include/zmq.h: In static member function ‘static v8::Handle<v8::Value> zmq::Socket::Recv(const v8::Arguments&)’: /usr/local/include/zmq.h:350: error: too few arguments to function ‘int zmq_recv(void*, void*, size_t, int)’ ../binding.cc:661: error: at this point in file /usr/local/include/zmq.h: In static member function ‘static v8::Handle<v8::Value> zmq::Socket::Send(const v8::Arguments&)’: /usr/local/include/zmq.h:349: error: too few arguments to function ‘int zmq_send(void*, const void*, size_t, int)’ ../binding.cc:774: error: at this point in file ../binding.cc: In function ‘void zmq::Initialize(v8::Handle<v8::Object>)’: ../binding.cc:844: error: ‘ZMQ_HWM’ was not declared in this scope ../binding.cc:845: error: ‘ZMQ_SWAP’ was not declared in this scope ../binding.cc:852: error: ‘ZMQ_MCAST_LOOP’ was not declared in this scope make: *** [Release/obj.target/binding/binding.o] Error 1 make: Leaving directory/root/node_modules/node-logstash/node_modules/zmq/build'
gyp ERR! build error
gyp ERR! stack Error: make failed with exit code: 2
gyp ERR! stack at ChildProcess.onExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:236:23)
gyp ERR! stack at ChildProcess.EventEmitter.emit (events.js:99:17)
gyp ERR! stack at Process._handle.onexit (child_process.js:678:10)
gyp ERR! System Linux 2.6.32-220.4.2.el6.alouche.0.xen.domu.x86_64
gyp ERR! command "node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /root/node_modules/node-logstash/node_modules/zmq
gyp ERR! node -v v0.8.15
gyp ERR! node-gyp -v v0.7.1
gyp ERR! not ok
npm ERR! [email protected] install: node-gyp rebuild
npm ERR! sh "-c" "node-gyp rebuild" failed with 1
npm ERR!
npm ERR! Failed at the [email protected] install script.
npm ERR! This is most likely a problem with the zmq package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node-gyp rebuild
npm ERR! You can get their info via:
npm ERR! npm owner ls zmq
npm ERR! There is likely additional logging output above.

npm ERR! System Linux 2.6.32-220.4.2.el6.xen.domu.x86_64
npm ERR! command "/usr/local/bin/node" "/usr/local/bin/npm" "install" "node-logstash"
npm ERR! cwd /root
npm ERR! node -v v0.8.15
npm ERR! npm -v 1.1.66
npm ERR! code ELIFECYCLE
npm http 304 https://registry.npmjs.org/wordwrap
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! /root/npm-debug.log
npm ERR! not ok code 0

I have done the following on my machine

compiled zeromq-3.2.2.tar.gz
./configure; make ; make install and found all the libs under /usr/local/lib

Followed the steps on http://www.linuxinstruction.com/?q=node/12

npm install [email protected] install
npm http GET https://registry.npmjs.org/zmq/2.2.0
npm http 304 https://registry.npmjs.org/zmq/2.2.0

[email protected] install /usr/local/lib/node_modules/zmq
node-gyp rebuild

make: Entering directory /usr/local/lib/node_modules/zmq/build' CXX(target) Release/obj.target/binding/binding.o SOLINK_MODULE(target) Release/obj.target/binding.node SOLINK_MODULE(target) Release/obj.target/binding.node: Finished COPY Release/binding.node make: Leaving directory/usr/local/lib/node_modules/zmq/build'
[email protected] node_modules/zmq

npm install [email protected] install

Fails to build with the error message above.

I dont knw if its related to the zmq version

Could u help me point if i am missing anything.?

Regards,
Kevin

What is the parameter for providing a user name and password to rabbitmq when using the AMQP output.

I tried the following format:
output://amqp://username:password@hostname:1111

but I am getting the following error:
ERROR Error: Unable to extract port from output://amqp://username:password@hostname:1111

I guess it is caused by the ':' sign. Is that the proper way to provide a username and if so how to make the escaping work?

Hello,

Thanks for node-logstash, it's great that it's able to be so efficient and lightweight at the same time.

One really nice feature would be to watch files based on shell-style wildcards, such as "/var/log/.log" or "/var/log//foo???_*.log".

Do you think it would be feasible?

I want to use the reverse_dns filter to detect if a given googlebot hit on nginx really come from a google bot ip.

currently, reverse_dns reverses the hardcoded "host" field.

would you accept a PR where the "host_field" would be configurable ? is "host_field" a correct name for that or do you want to stay close to what logstash is doing: http://logstash.net/docs/1.3.1/filters/dns , and call it "field_with_address" ?

I think it is good idea to move modules dependent on plugins to optional dependencies.
This will allow us to use node-logstash only redis.

When an output cannot handle the throughput of events (or is not available) sent by node-logstash, node-logstash should stop flooding all outputs (See "Fault Tolerance" in http://logstash.net/docs/1.2.1/life-of-an-event).

Currently, if the server is not available, the collectors continue to read log files and keep consuming more memory until node-logstash is killed by the kernel.
The second bad consequence is when the server is available again, it is flooded by all collectors and a lot of events are lost.

Hi,

Perhaps I'm doing something wrong but I can't find out what.

I'm trying out a simple setup with two vagrant servers running Ubuntu 12.04.
One is a Apache2 webserver with node-logstash that should send the accesslog entries to the other server running node-logstash, Elasticsearch and Kibana.

I can send the entries to the logging server but somehow ZeroMQ cannot parse the data. This is the message I get for every line in the access log:

ERROR [input_zeromq] Unable to parse data {"@message":"192.168.33.1 - - [23/Jul/2013:10:41:26 -0300] \"GET /favicon.ico HTTP/1.1\" 404 503 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36\"","@source":"/var/log/apache2/access.log","@source_host":"vagrant-ubuntu","@timestamp":"2013-07-23T13:56:18.752Z"}

On my 'client' (Apache2 server) I'm running node-logstash with this config file:

input://file:///var/log/apache2/access.log?start_index=0
output://zeromq://tcp://192.168.33.11:5555

And on my 'logserver' I'm running node-logstash with this config file:

input://zeromq://tcp://192.168.33.11:5555
filter://regex://http_combined
output://elasticsearch://localhost:9200

I also tried different combinations with the unserializer/serializer parameters on both the client and the logserver, but nothing helped. Removing the filter also does not help.

So my question is, am I doing something wrong here? Or did I found a bug or something?

output connection to rabbitmq fails when vhost is not the default /

Please provide a parameter to define the vhost that the data will be sent to.

Right now I have a setup using beaver log shipper --> rabbitmq --> logstash --> elasticsearch
On log intensive server I notice that beaver is using too much cpu power (20-30%).

I am looking for a lightweight log shipper for logstash and tried using logstash-forwarder but it has a different issue that causes problem with log rotation.

is it a good idea to try and use node-logstash as a shipper? if so is there a chance to add an output to rabbitmq?

For 3 last days, logstash agent don't watch the log file :

See below :

cat /opt/logstash/shared/files.json

{
   "/opt/logstash/shared/log/logstash.log":{
      "index":0
   },
   "/var/log/nginx/access.log":{
      "last_data":"86.35.242.58 - - [23/Oct/2012:20:51:05 +0000] \"GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1\" 400 172 \"-\" \"-\"\n",
      "index":33855
   },
   "/var/log/nginx/error.log":{
      "index":0
   },
   "/***api.log":{
      "last_data":"[Tue, 23 Oct 2012 16:16:11 GMT] INFO [memcached] flush of *** : OK\n",
      "index":248294
   },
   "shared/log/production.log":{
      "last_data":"Completed 200 OK in 1ms (Views: 0.4ms | ActiveRecord: 0.0ms)\n",
      "index":5131
   },
   "shared/log/unicorn.stderr.log":{
      "last_data":"I, [2012-10-23T14:51:17.691070 #17644]  INFO -- : worker=2 ready\n",
      "index":1283
   },
   "/shared/log/unicorn.stdout.log":{
      "index":0
   }
}

After restarting logstash

{
   "/opt/logstash/shared/log/logstash.log":{
      "index":0
   },
   "/var/log/nginx/access.log":{
      "last_data":"31.222.158.153 - api-integration.fstrz.net - [26/Oct/2012:12:27:57 +0000] \"PUT ***\"\n",
      "index":121998
   },
   "/var/log/nginx/error.log":{
      "index":0
   },
   "*** api.log":{
      "last_data":"[Fri, 26 Oct 2012 12:27:57 GMT] INFO ",
      "index":763065
   },
   "log/production.log":{
      "last_data":"Completed 200 OK in 1ms (Views: 0.5ms | ActiveRecord: 0.0ms)\n",
      "index":20047
   },
   "unicorn.stderr.log":{
      "last_data":"I, [2012-10-25T13:23:03.363704 #30359]  INFO -- : worker=2 done reopening logs\n",
      "index":314
   },
   "unicorn.stdout.log":{
      "index":0
   }
}

I am able to send messages to rabbitmq and everything is working great except for the "type" parameter that is missing from the payload that is getting to the rabbitmq server.

In the node-logstash configuration I added the following:
&type=syslog

In rabbitMQ I see the following payload:
{"message":"Jan 21 14:27:30 test","path":"/var/log/syslog","host":"SERVERNAME","@timestamp":"2015-01-21T14:26:31.044Z","@Version":"1"}

From the documentation I expect there to be a key of "type":"syslog"

Am I missing something?

Currently the file input is only listening for file changes in the specified directory itself.

It would be great to be able to specify also to check for changes recursively in subdirectories.

This would make it easier if log files are placed into separate directories, e.g. for every day.

Split log lines on a given regex pattern

It's necessary to have a conditional filter that will send the data to the output only if the test pass.

I think that the best solution should be to be able to write a callback in javascript code, for instance :

function (msg, fields) {
   return parseInt(fields['status'], 10) >= 400
}

Means : only keep the ligne with a status superior to 400.

A callback permits to write the needed logic.

For the url api,

It becomes :

filters://keep_only_if?test=status_superior_to_400

and in the file status_superior_to_400:

parseInt(fields['status'], 10) >= 400

Note : we should be able to add a conditional filter only for an output, not necessary all the output.

So, maybe :

output://statsd://ip?only_if=status_superior_to_400