Input Threat Exception

Description

Somehow after getting Logstash to run and connect with my Elastic Search instance, this warning/error keeps popping up:

jon1984@ubuntu:~/Applications/logstash_conf$ java -jar logstash-1.1.0-monolithic.jar agent -f agent-server.conf
I, [2012-02-19T22:33:21.493000 #5987] INFO – : Using beta plugin 'amqp'. For more information about plugin statuses, see http://logstash.net/docs/1.1.0/plugin-status {"timestamp":"2012-02-19T22:33:21.473000 -0800","message":"Using beta plugin 'amqp'. For more information about plugin statuses, see http://logstash.net/docs/1.1.0/plugin-status ","level":"info"}
W, [2012-02-19T22:33:23.560000 #5987] WARN – : Input thread exception {"timestamp":"2012-02-19T22:33:23.556000 -0800","plugin":"LogStash::Inputs::Amqp: {\"type\"=>\"apache-access\", \"host\"=>\"172.17.112.98\", \"exchange\"=>\"fanout\", \"name\"=>\"rawlogs\", \"debug\"=>false, \"add_field\"=>{}, \"port\"=>5672, \"user\"=>\"guest\", \"password\"=><password>, \"key\"=>\"logstash\", \"vhost\"=>\"/\", \"passive\"=>false, \"durable\"=>false, \"auto_delete\"=>true, \"exclusive\"=>true, \"prefetch_count\"=>1, \"ack\"=>true, \"ssl\"=>false, \"verify_ssl\"=>false}","exception":"Error Reply Code: 406\nError Reply Text: PRECONDITION_FAILED - parameters for queue 'rawlogs' in vhost '/' not equivalent","backtrace":["file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/client08.rb:78:in `check_response'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/queue08.rb:46:in `initialize'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/client08.rb:294:in `queue'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/inputs/amqp.rb:118:in `run'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/agent.rb:631:in `run_input'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/agent.rb:322:in `start_input'"],"message":"Input thread exception","level":"warn"}
E, [2012-02-19T22:33:23.569000 #5987] ERROR – : Restarting input due to exception {"timestamp":"2012-02-19T22:33:23.561000 -0800","plugin":"LogStash::Inputs::Amqp: {\"type\"=>\"apache-access\", \"host\"=>\"172.17.112.98\", \"exchange\"=>\"fanout\", \"name\"=>\"rawlogs\", \"debug\"=>false, \"add_field\"=>{}, \"port\"=>5672, \"user\"=>\"guest\", \"password\"=><password>, \"key\"=>\"logstash\", \"vhost\"=>\"/\", \"passive\"=>false, \"durable\"=>false, \"auto_delete\"=>true, \"exclusive\"=>true, \"prefetch_count\"=>1, \"ack\"=>true, \"ssl\"=>false, \"verify_ssl\"=>false}","message":"Restarting input due to exception","level":"error"}

My config file is as such:
input {
amqp {

  1. ship logs to the 'rawlogs' fanout queue.

  2. type => "all"
    type => "apache-access"
    host => "172.17.112.98"
    exchange => "fanout"
    name => "rawlogs"
    }
    #amqp {

  3. ship logs to the 'rawlogs' fanout queue.

  4. type => "all"
    #type => "apache-access"

  5. host => "10.19.200.181"

  6. port => "5672"

  7. exchange_type => "fanout"

  8. name => "rawlogs"
    #}
    }

filter {
grok {
type => "syslog" # for logs of type "syslog"
pattern => "%{SYSLOGLINE}"

  1. You can specify multiple 'pattern' lines
    }

grok {
type => "apache-access" # for logs of type 'apache-access'
pattern => "%{COMBINEDAPACHELOG}"
}
date {
type => "syslog"

  1. The 'timestamp' and 'timestamp8601' names are for fields in the

  2. logstash event. The 'SYSLOGLINE' grok pattern above includes a field

  3. named 'timestamp' that is set to the normal syslog timestamp if it

  4. exists in the event.
    timestamp => "MMM d HH:mm:ss" # syslog 'day' value can be space-leading
    timestamp => "MMM dd HH:mm:ss"
    timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format
    }

date {
type => "apache-access"
timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
}
}

output {
stdout { }

  1. If your elasticsearch server is discoverable with multicast, use this:

  2. elasticsearch { }

  1. If you can't discover using multicast, set the address explicitly
    elasticsearch {
    host => "172.17.112.98"
    port => "9300"
    cluster => "elasticsearch"
    }
    #elasticsearch { embedded => true }
    }

Somehow there is something wrong with the format of the date that is causing some error. I have followed the instructions found in http://logstash.net/docs/1.1.0/tutorials/getting-started-centralized in regards to the date format, so any body could help me out to see what exactly is wrong?

Thanks so much!

Jonathan

Assignee

Logstash Developers

Reporter

Jonathan Moo

Labels

None
Configure