Wazuh Integration with Elasticsearch

189 views

Skip to first unread message

Ab

unread,

Oct 2, 2024, 7:57:52 AM10/2/24

to Wazuh | Mailing List

My setup details:
Wazuh version v4.9 on VMware
Elasticsearch and Kibana V8.15 on VMware

I successfully configured the Logstash setup to forward Wazuh alerts to my Elasticsearch instance located on another VM, following the instructions provided in the Wazuh documentation (https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). The configuration was validated, and I confirmed that logs were being sent to Elasticsearch when I executed Logstash manually with the command:

sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/

However, after testing and confirming that the configuration works correctly, I encountered an issue when I attempted to run Logstash as a service. Despite being able to send logs successfully while running it manually, Logstash fails to forward logs when started as a service using:

sudo systemctl start logstash.service -------------------------------------------------------------------------- My log when running logstash manually, it can forward logs to ELK: sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/
Using bundled JDK: /usr/share/logstash/jdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2024-10-02T18:21:22,919][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2024-10-02T18:21:22,931][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.15.2", "jruby.version"=>"jruby 9.4.8.0 (3.1.4) 2024-07-02 4d41e55a67 OpenJDK 64-Bit Server VM 21.0.4+7-LTS on 21.0.4+7-LTS +indy +jit [x86_64-linux]"}
[2024-10-02T18:21:22,974][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
[2024-10-02T18:21:23,056][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
[2024-10-02T18:21:23,057][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
[2024-10-02T18:21:23,871][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2024-10-02T18:21:26,790][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-10-02T18:21:29,233][INFO ][org.reflections.Reflections] Reflections took 484 ms to scan 1 urls, producing 138 keys and 481 values
[2024-10-02T18:21:30,124][INFO ][logstash.codecs.json ] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message)
[2024-10-02T18:21:30,880][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_certificate_verification" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Set 'ssl_verification_mode' instead. If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"ssl_certificate_verification", :plugin=><LogStash::Outputs::ElasticSearch ssl_certificate_verification=>false, template=>"/etc/logstash/templates/wazuh.json", password=><password>, template_name=>"wazuh", hosts=>[//192.168.95.145:9200], template_overwrite=>true, index=>"wazuh-alerts-4.x-%{+YYYY.MM.dd}", id=>"aa966d64832191e508d668af2c9ed745f04791f862b4b3be417a05c2eddcdbbc", user=>"elastic", ssl=>true, enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_dfa4d973-ed84-4a89-b25a-a74c819f9872", enable_metric=>true, charset=>"UTF-8">, workers=>1, ssl_verification_mode=>"full", sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>true, compression_level=>1, retry_initial_interval=>2, retry_max_interval=>64, dlq_on_failed_indexname_interpolation=>true, data_stream_type=>"logs", data_stream_dataset=>"generic", data_stream_namespace=>"default", data_stream_sync_fields=>true, data_stream_auto_routing=>true, manage_template=>true, template_api=>"auto", doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_on_conflict=>1, ilm_enabled=>"auto", ilm_pattern=>"{now/d}-000001", ilm_policy=>"logstash-policy">}
[2024-10-02T18:21:30,906][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Set 'ssl_enabled' instead. If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"ssl", :plugin=><LogStash::Outputs::ElasticSearch ssl_certificate_verification=>false, template=>"/etc/logstash/templates/wazuh.json", password=><password>, template_name=>"wazuh", hosts=>[//192.168.95.145:9200], template_overwrite=>true, index=>"wazuh-alerts-4.x-%{+YYYY.MM.dd}", id=>"aa966d64832191e508d668af2c9ed745f04791f862b4b3be417a05c2eddcdbbc", user=>"elastic", ssl=>true, enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_dfa4d973-ed84-4a89-b25a-a74c819f9872", enable_metric=>true, charset=>"UTF-8">, workers=>1, ssl_verification_mode=>"full", sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>true, compression_level=>1, retry_initial_interval=>2, retry_max_interval=>64, dlq_on_failed_indexname_interpolation=>true, data_stream_type=>"logs", data_stream_dataset=>"generic", data_stream_namespace=>"default", data_stream_sync_fields=>true, data_stream_auto_routing=>true, manage_template=>true, template_api=>"auto", doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_on_conflict=>1, ilm_enabled=>"auto", ilm_pattern=>"{now/d}-000001", ilm_policy=>"logstash-policy">}
[2024-10-02T18:21:31,238][INFO ][logstash.javapipeline ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2024-10-02T18:21:31,538][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//192.168.95.145:9200"]}
[2024-10-02T18:21:31,548][WARN ][logstash.outputs.elasticsearch][main] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
[2024-10-02T18:21:32,225][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxx...@192.168.95.145:9200/]}}
[2024-10-02T18:21:34,706][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"https://elastic:xxx...@192.168.95.145:9200/"}
[2024-10-02T18:21:34,712][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (8.15.1) {:es_version=>8}
[2024-10-02T18:21:34,713][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2024-10-02T18:21:34,966][INFO ][logstash.outputs.elasticsearch][main] Not eligible for data streams because config contains one or more settings that are not compatible with data streams: {"template"=>"/etc/logstash/templates/wazuh.json", "template_name"=>"wazuh", "template_overwrite"=>"true", "index"=>"wazuh-alerts-4.x-%{+YYYY.MM.dd}"}
[2024-10-02T18:21:35,003][INFO ][logstash.outputs.elasticsearch][main] Data streams auto configuration (`data_stream => auto` or unset) resolved to `false`
[2024-10-02T18:21:35,181][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/wazuh-elasticsearch.conf"], :thread=>"#<Thread:0x9746ea3 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-10-02T18:21:35,255][INFO ][logstash.outputs.elasticsearch][main] Using mapping template from {:path=>"/etc/logstash/templates/wazuh.json"}
[2024-10-02T18:21:35,470][INFO ][logstash.outputs.elasticsearch][main] Installing Elasticsearch template {:name=>"wazuh"}
[2024-10-02T18:21:37,693][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>2.51}
[2024-10-02T18:21:37,726][INFO ][logstash.inputs.file ][main] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_b6991da130c0919d87fbe36c3e98e363", :path=>["/var/ossec/logs/alerts/alerts.json"]}
[2024-10-02T18:21:37,775][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-10-02T18:21:37,794][INFO ][filewatch.observingtail ][main][wazuh_alerts] START, creating Discoverer, Watch with file and sincedb collections
[2024-10-02T18:21:37,874][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2024-10-02T18:21:38,097][INFO ][logstash.codecs.json ][main][wazuh_alerts] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message)
^C[2024-10-02T18:25:33,316][WARN ][logstash.runner ] SIGINT received. Shutting down.
[2024-10-02T18:25:33,448][INFO ][filewatch.observingtail ] QUIT - closing all files and shutting down.
[2024-10-02T18:25:33,882][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2024-10-02T18:25:34,525][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:main}
[2024-10-02T18:25:34,572][INFO ][logstash.runner ] Logstash shut down.
root@ubuntu:/usr/share/logstash/bin# sudo systemctl stop logstash
root@ubuntu:/usr/share/logstash/bin# sudo tail -f /var/log/logstash/logstash-plain.log
[2024-10-02T19:05:34,864][INFO ][logstash.inputs.file ][main] No sincedb_path set, generating one based on the "path" setting {:sincedb_path=>"/var/lib/logstash/plugins/inputs/file/.sincedb_b6991da130c0919d87fbe36c3e98e363", :path=>["/var/ossec/logs/alerts/alerts.json"]}
[2024-10-02T19:05:34,894][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-10-02T19:05:34,947][INFO ][filewatch.observingtail ][main][wazuh_alerts] START, creating Discoverer, Watch with file and sincedb collections
[2024-10-02T19:05:35,131][INFO ][logstash.codecs.json ][main][wazuh_alerts] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message)
[2024-10-02T19:05:35,168][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2024-10-02T19:06:40,300][WARN ][logstash.runner ] SIGINT received. Shutting down.
[2024-10-02T19:06:40,321][INFO ][filewatch.observingtail ] QUIT - closing all files and shutting down.
[2024-10-02T19:06:41,699][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2024-10-02T19:06:42,351][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:main}
[2024-10-02T19:06:42,454][INFO ][logstash.runner ] Logstash shut down. ================================================================== Also i checked the file status of the alert file, which looks good: lsof /var/ossec/logs/alerts/alerts.json
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
lsof: WARNING: can't stat() fuse file system /run/user/1000/doc
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
wazuh-int 37637 wazuh 4r REG 8,5 285191 2498183 /var/ossec/logs/alerts/alerts.json
wazuh-ana 37713 wazuh 12w REG 8,5 285191 2498183 /var/ossec/logs/alerts/alerts.json
filebeat 43480 root 9r REG 8,5 285191 2498183 /var/ossec/logs/alerts/alerts.json

Gustavo Choquevilca

unread,

Oct 2, 2024, 8:50:18 AM10/2/24

to Wazuh | Mailing List

Hi,

In the logs you sent, I don’t see an error, just INFO or WARN logs. You can run grep to look for errors:

grep -ie error /var/log/logstash/logstash-plain.log

Additionally, you can check the following:

Make sure that all components of your ELK stack (Elasticsearch, Logstash, and Kibana) are the same version to avoid compatibility issues.

Have you checked this? Wazuh Documentation

Share with me everything necessary to review this issue.

Ka Ho WONG, Stan

unread,

Oct 4, 2024, 3:33:15 AM10/4/24

to Gustavo Choquevilca, Wazuh | Mailing List

Hello,

I've successfully configured Wazuh to forward alerts to Elasticsearch running on a different VM. However, I have encountered an issue: I can only run Logstash manually using the following command:

sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/

When I try to run Logstash as a service using the commands:

sudo systemctl enable logstash.service
sudo systemctl start logstash.service

I am unable to receive logs in Elasticsearch. To resolve this, I attempted to modify the logstash.service configuration to use the wazuh-elasticsearch.conf file, but I have not been successful. Here is the current content of my logstash.service file:

[Unit]
Description=logstash

[Service]
Type=simple
User=logstash
Group=logstash
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
#ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
ExecStart=/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384
TimeoutStopSec=infinity

Could you help me troubleshoot and rewrite this service configuration to ensure Logstash uses the wazuh-elasticsearch.conf file correctly when running as a service?

Thank you!

Ken

'Gustavo Choquevilca' via Wazuh | Mailing List <wa...@googlegroups.com> 於 2024年10月2日週三下午8:50寫道：

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6u6EIznvTQA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/25983098-9aad-4d27-a389-bc843219d30fn%40googlegroups.com.

Message has been deleted

Gustavo Choquevilca

unread,

Oct 4, 2024, 9:37:44 AM10/4/24

to Wazuh | Mailing List

Hi,

The issue might be with the ports. Have you checked that port 9200 is open for the Wazuh indexer?

Could you share the system logs with me when you run these commands:

sudo systemctl enable logstash.service
sudo systemctl start logstash.service

Logs:

/var/log/messages for Red Hat-based distributions
/var/log/syslog for Debian-based distributions

Also, check the permissions of the /var/log/logstash folder to see if the logstash user has write permissions in that folder.

Gustavo Choquevilca

unread,

Oct 6, 2024, 11:36:43 PM10/6/24

to Wazuh | Mailing List

Hi,

The issue might be with the ports. Have you checked that port 9200 is open for the Wazuh indexer?

Could you share the system logs with me when you run these commands:

sudo systemctl enable logstash.service
sudo systemctl start logstash.service

Logs:

/var/log/messages for Red Hat-based distributions
/var/log/syslog for Debian-based distributions
Also, check the permissions of the /var/log/logstash folder to see if the logstash user has write permissions in that folder.

Ka Ho WONG, Stan

unread,

Oct 8, 2024, 7:15:04 AM10/8/24

to Gustavo Choquevilca, Wazuh | Mailing List

Hi Gustavo

Permission:
=========
ls -la /var/log/logstash
drwxr-xr-x 2 logstash logstash 4096 Oct 8 10:16 logstash

cat /var/log/syslog :
===================
Oct 8 10:41:45 ubuntu systemd[1]: Started logstash.
Oct 8 10:41:45 ubuntu logstash[122303]: Using bundled JDK: /usr/share/logstash/jdk
Oct 8 10:42:31 ubuntu logstash[122303]: Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,549 main ERROR RollingFileManager (/var/log/logstash/logstash-deprecation.log) java.io.FileNotFoundException: /var/log/logstash/logstash-deprecation.log (Permission denied) java.io.FileNotFoundException: /var/log/logstash/logstash-deprecation.log (Permission denied)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.io.FileOutputStream.open0(Native Method)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.io.FileOutputStream.open(FileOutputStream.java:289)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:230)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:150)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory.createManager(RollingFileManager.java:746)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory.createManager(RollingFileManager.java:716)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.AbstractManager.getManager(AbstractManager.java:144)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.OutputStreamManager.getManager(OutputStreamManager.java:100)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.getFileManager(RollingFileManager.java:217)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.RollingFileAppender$Builder.build(RollingFileAppender.java:146)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.RollingFileAppender$Builder.build(RollingFileAppender.java:62)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build(PluginBuilder.java:124)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createPluginObject(AbstractConfiguration.java:1122)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1047)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1039)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.doConfigure(AbstractConfiguration.java:651)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.initialize(AbstractConfiguration.java:249)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:68)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:40)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:304)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:467)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:325)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:690)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.setConfigLocation(LoggerContext.java:679)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt.reconfigure(LoggerExt.java:184)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt$INVOKER$s$1$0$reconfigure.call(LoggerExt$INVOKER$s$1$0$reconfigure.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.call(Block.java:148)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc.call(RubyProc.java:330)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc$INVOKER$i$call.call(RubyProc$INVOKER$i$call.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroOrOneOrNBlock.call(JavaMethod.java:355)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.doYield(IRBlockBody.java:169)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.BlockBody.yield(BlockBody.java:108)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.yield(Block.java:189)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray.each(RubyArray.java:1981)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray$INVOKER$i$0$0$each.call(RubyArray$INVOKER$i$0$0$each.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroBlock.call(JavaMethod.java:561)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.callIter(CachingCallSite.java:103)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.CallBase.interpret(CallBase.java:545)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.performIndirectCall(InvokeSite.java:735)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.invoke(InvokeSite.java:657)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.RUBY$script(/usr/share/logstash/lib/bootstrap/environment.rb:89)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.run(/usr/share/logstash/lib/bootstrap/environment.rb)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.Compiler$1.load(Compiler.java:114)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runScript(Ruby.java:1245)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runNormally(Ruby.java:1157)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runFromMain(Ruby.java:983)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.run(Logstash.java:163)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.main(Logstash.java:73)
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,565 main ERROR Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@3ac6c956] unable to create manager for [/var/log/logstash/logstash-deprecation.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@239c4792[pattern=/var/log/logstash/logstash-deprecation-%d{yyyy-MM-dd}-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=104857600)]), strategy=DefaultRolloverStrategy(min=1, max=30, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c]%notEmpty{[%X{pipeline.id}]}%notEmpty{[%X{plugin.id}]} %m%n, filePermissions=null, fileOwner=null]] java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@3ac6c956] unable to create manager for [/var/log/logstash/logstash-deprecation.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@239c4792[pattern=/var/log/logstash/logstash-deprecation-%d{yyyy-MM-dd}-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=104857600)]), strategy=DefaultRolloverStrategy(min=1, max=30, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c]%notEmpty{[%X{pipeline.id}]}%notEmpty{[%X{plugin.id}]} %m%n, filePermissions=null, fileOwner=null]]
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.AbstractManager.getManager(AbstractManager.java:146)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.OutputStreamManager.getManager(OutputStreamManager.java:100)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.getFileManager(RollingFileManager.java:217)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.RollingFileAppender$Builder.build(RollingFileAppender.java:146)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.appender.RollingFileAppender$Builder.build(RollingFileAppender.java:62)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build(PluginBuilder.java:124)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createPluginObject(AbstractConfiguration.java:1122)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1047)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1039)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.doConfigure(AbstractConfiguration.java:651)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.initialize(AbstractConfiguration.java:249)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:68)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:40)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:304)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:467)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:325)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:690)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.setConfigLocation(LoggerContext.java:679)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt.reconfigure(LoggerExt.java:184)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt$INVOKER$s$1$0$reconfigure.call(LoggerExt$INVOKER$s$1$0$reconfigure.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.call(Block.java:148)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc.call(RubyProc.java:330)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc$INVOKER$i$call.call(RubyProc$INVOKER$i$call.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroOrOneOrNBlock.call(JavaMethod.java:355)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.doYield(IRBlockBody.java:169)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.BlockBody.yield(BlockBody.java:108)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.yield(Block.java:189)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray.each(RubyArray.java:1981)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray$INVOKER$i$0$0$each.call(RubyArray$INVOKER$i$0$0$each.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroBlock.call(JavaMethod.java:561)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.callIter(CachingCallSite.java:103)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.CallBase.interpret(CallBase.java:545)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.performIndirectCall(InvokeSite.java:735)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.invoke(InvokeSite.java:657)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.RUBY$script(/usr/share/logstash/lib/bootstrap/environment.rb:89)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.run(/usr/share/logstash/lib/bootstrap/environment.rb)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.Compiler$1.load(Compiler.java:114)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runScript(Ruby.java:1245)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runNormally(Ruby.java:1157)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runFromMain(Ruby.java:983)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.run(Logstash.java:163)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.main(Logstash.java:73)
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,578 main ERROR Unable to invoke factory method in class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: No factory method found for class org.apache.logging.log4j.core.appender.RollingFileAppender java.lang.IllegalStateException: No factory method found for class org.apache.logging.log4j.core.appender.RollingFileAppender
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.findFactoryMethod(PluginBuilder.java:238)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build(PluginBuilder.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createPluginObject(AbstractConfiguration.java:1122)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1047)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:1039)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.doConfigure(AbstractConfiguration.java:651)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.AbstractConfiguration.initialize(AbstractConfiguration.java:249)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:68)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LogstashConfigurationFactory.getConfiguration(LogstashConfigurationFactory.java:40)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:304)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:467)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:325)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:690)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.apache.logging.log4j.core.LoggerContext.setConfigLocation(LoggerContext.java:679)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt.reconfigure(LoggerExt.java:184)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.log.LoggerExt$INVOKER$s$1$0$reconfigure.call(LoggerExt$INVOKER$s$1$0$reconfigure.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.call(Block.java:148)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc.call(RubyProc.java:330)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyProc$INVOKER$i$call.call(RubyProc$INVOKER$i$call.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroOrOneOrNBlock.call(JavaMethod.java:355)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.IRBlockBody.doYield(IRBlockBody.java:169)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.BlockBody.yield(BlockBody.java:108)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.Block.yield(Block.java:189)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray.each(RubyArray.java:1981)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.RubyArray$INVOKER$i$0$0$each.call(RubyArray$INVOKER$i$0$0$each.gen)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroBlock.call(JavaMethod.java:561)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.callIter(CachingCallSite.java:103)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.CallBase.interpret(CallBase.java:545)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.performIndirectCall(InvokeSite.java:735)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.targets.indy.InvokeSite.invoke(InvokeSite.java:657)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.RUBY$script(/usr/share/logstash/lib/bootstrap/environment.rb:89)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.run(/usr/share/logstash/lib/bootstrap/environment.rb)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.ir.Compiler$1.load(Compiler.java:114)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runScript(Ruby.java:1245)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runNormally(Ruby.java:1157)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.jruby.Ruby.runFromMain(Ruby.java:983)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.run(Logstash.java:163)
Oct 8 10:42:31 ubuntu logstash[122303]: #011at org.logstash.Logstash.main(Logstash.java:73)
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,637 main ERROR Null object returned for RollingFile in Appenders.
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,638 main ERROR Unable to locate appender "deprecation_plain_rolling" for logger config "org.logstash.deprecation, deprecation"
Oct 8 10:42:31 ubuntu logstash[122303]: 2024-10-08 10:42:31,647 main ERROR Unable to locate appender "deprecation_plain_rolling" for logger config "deprecation"
Oct 8 10:42:31 ubuntu logstash[122303]: [2024-10-08T10:42:31,684][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
Oct 8 10:42:31 ubuntu logstash[122303]: [2024-10-08T10:42:31,699][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.15.2", "jruby.version"=>"jruby 9.4.8.0 (3.1.4) 2024-07-02 4d41e55a67 OpenJDK 64-Bit Server VM 21.0.4+7-LTS on 21.0.4+7-LTS +indy +jit [x86_64-linux]"}
Oct 8 10:42:31 ubuntu logstash[122303]: [2024-10-08T10:42:31,751][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
Oct 8 10:42:31 ubuntu logstash[122303]: [2024-10-08T10:42:31,769][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
Oct 8 10:42:31 ubuntu logstash[122303]: [2024-10-08T10:42:31,776][INFO ][logstash.runner ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
Oct 8 10:42:34 ubuntu logstash[122303]: [2024-10-08T10:42:34,942][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::OrgLogstashSecretStore::SecretStoreException::AccessException", :message=>"Can not access Logstash keystore at /etc/logstash/logstash.keystore. Please verify correct file permissions and keystore password.", :backtrace=>["org.logstash.secret.store.backend.JavaKeyStore.load(JavaKeyStore.java:291)", "org.logstash.secret.store.backend.JavaKeyStore.load(JavaKeyStore.java:77)", "org.logstash.secret.store.SecretStoreFactory.doIt(SecretStoreFactory.java:129)", "org.logstash.secret.store.SecretStoreFactory.load(SecretStoreFactory.java:115)", "org.logstash.secret.store.SecretStoreExt.getIfExists(SecretStoreExt.java:60)", "org.logstash.execution.AbstractPipelineExt.getSecretStore(AbstractPipelineExt.java:797)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:238)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:173)", "org.logstash.execution.AbstractPipelineExt$INVOKER$i$initialize.call(AbstractPipelineExt$INVOKER$i$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:847)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)", "org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.RubyClass.newInstance(RubyClass.java:949)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:548)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:88)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:238)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:225)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:228)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:476)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:293)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:324)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.Block.call(Block.java:144)", "org.jruby.RubyProc.call(RubyProc.java:354)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:111)", "java.base/java.lang.Thread.run(Thread.java:1583)"]}
Oct 8 10:42:35 ubuntu logstash[122303]: [2024-10-08T10:42:35,079][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
Oct 8 10:42:35 ubuntu logstash[122303]: [2024-10-08T10:42:35,153][INFO ][logstash.runner ] Logstash shut down.
Oct 8 10:42:35 ubuntu logstash[122303]: [2024-10-08T10:42:35,161][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
Oct 8 10:42:35 ubuntu logstash[122303]: org.jruby.exceptions.SystemExit: (SystemExit) exit
Oct 8 10:42:35 ubuntu logstash[122303]: #011at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:921) ~[jruby.jar:?]
Oct 8 10:42:35 ubuntu logstash[122303]: #011at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:880) ~[jruby.jar:?]
Oct 8 10:42:35 ubuntu logstash[122303]: #011at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/bootstrap/environment.rb:90) ~[?:?]
Oct 8 10:42:35 ubuntu systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE
Oct 8 10:42:35 ubuntu systemd[1]: logstash.service: Failed with result 'exit-code'.
Oct 8 10:42:35 ubuntu systemd[1]: logstash.service: Scheduled restart job, restart counter is at 29.

Apart from the log shown above:
==================================
Here i attached the screenshot of the file permission :
image.png

However, if i run the logstash manually, it can successfully forward the wazuh alert to elasticsearch.
the command i used:

sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/

'Gustavo Choquevilca' via Wazuh | Mailing List <wa...@googlegroups.com> 於 2024年10月7日週一上午11:36寫道：

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c37cbd88-39d7-417c-b216-92669bbf4eafn%40googlegroups.com.

Gustavo Choquevilca

unread,

Oct 8, 2024, 1:34:15 PM10/8/24

to Wazuh | Mailing List

Hi,
This may be the error:

Oct 8 10:42:34 ubuntu logstash[122303]: [2024-10-08T10:42:34,942][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::OrgLogstashSecretStore::SecretStoreException::AccessException", :message=>"Can not access Logstash keystore at /etc/logstash/logstash.keystore. Please verify correct file permissions and keystore password.", :backtrace=>["org.logstash.secret.store.backend.JavaKeyStore.load(JavaKeyStore.java:291)", "org.logstash.secret.store.backend.JavaKeyStore.load(JavaKeyStore.java:77)", "org.logstash.secret.store.SecretStoreFactory.doIt(SecretStoreFactory.java:129)", "org.logstash.secret.store.SecretStoreFactory.load(SecretStoreFactory.java:115)", "org.logstash.secret.store.SecretStoreExt.getIfExists(SecretStoreExt.java:60)", "org.logstash.execution.AbstractPipelineExt.getSecretStore(AbstractPipelineExt.java:797)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:238)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:173)", "org.logstash.execution.AbstractPipelineExt$INVOKER$i$initialize.call(AbstractPipelineExt$INVOKER$i$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:847)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)", "org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.RubyClass.newInstance(RubyClass.java:949)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:548)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:88)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:238)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:225)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:228)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:476)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:293)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:324)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.Block.call(Block.java:144)", "org.jruby.RubyProc.call(RubyProc.java:354)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:111)", "java.base/java.lang.Thread.run(Thread.java:1583)"]}

You should configure it as follows:

set +o history
echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
set -o history
sudo chown root /etc/sysconfig/logstash
sudo chmod 600 /etc/sysconfig/logstash
sudo systemctl start logstash

This directory /etc/sysconfig/logstash must have root owner and permission 600

Reply all

Reply to author

Forward

0 new messages