Today I was informed that some log data doesn't appear anymore in our ELK stack since yesterday afternoon. What changed yesterday afternoon? This particular log collector machien running Logstash was updated.
# zgrep logstash /var/log/apt/history.log.1.gz -B 3
Start-Date: 2018-11-27 15:52:08
Commandline: /usr/bin/apt-get -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold dist-upgrade
Install: [...]
Upgrade: [...] logstash:amd64 (5.6.10-1, 5.6.13-1), [...]
By checking the Logstash logs, the reason was pretty well explained:
[2018-11-28T08:13:51,925][ERROR][logstash.plugins.registry] Problems loading a plugin with {:type=>"output", :name=>"gelf", :path=>"logstash/outputs/gelf", :error_message=>"NameError", :error_class=>NameError, :error_backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:226:in `namespace_lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:162:in `legacy_lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:138:in `lookup'", "/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:180:in `lookup_pipeline_plugin'", "/usr/share/logstash/logstash-core/lib/logstash/plugin.rb:140:in `lookup'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:103:in `plugin'", "(eval):12:in `initialize'", "org/jruby/RubyKernel.java:1079:in `eval'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:75:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:165:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:296:in `create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:in `register_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:313:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:204:in `run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:in `run'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}
[2018-11-28T08:13:51,955][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Couldn't find any output plugin named 'gelf'. Are you sure this is correct? Trying to load the gelf output plugin resulted in this error: Problems loading the requested plugin named gelf of type output. Error: NameError NameError"}
The important part:
:reason=>"Couldn't find any output plugin named 'gelf'.
Let's check the currently installed Logstash plugins:
# /usr/share/logstash/bin/logstash-plugin list --verbose | grep gelf
logstash-input-gelf (3.1.1)
Hmm.. Only the input-gelf plugin is shown, but not the output-gelf plugin. Let's install it manually then:
# /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf
Validating logstash-output-gelf
Installing logstash-output-gelf
Installation successful
A Logstash restart is not needed after this. The logs happily showed up in Kibana again.
Kevin from wrote on Jun 27th, 2023:
Thank you for posting this. It's concise and accurate.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder