Input Threat Exception

Description

Somehow after getting Logstash to run and connect with my Elastic Search instance, this warning/error keeps popping up:

jon1984@ubuntu:~/Applications/logstash_conf$ java -jar logstash-1.1.0-monolithic.jar agent -f agent-server.conf
I, [2012-02-19T22:33:21.493000 #5987] INFO – : Using beta plugin 'amqp'. For more information about plugin statuses, see http://logstash.net/docs/1.1.0/plugin-status {"timestamp":"2012-02-19T22:33:21.473000 -0800","message":"Using beta plugin 'amqp'. For more information about plugin statuses, see http://logstash.net/docs/1.1.0/plugin-status ","level":"info"}
W, [2012-02-19T22:33:23.560000 #5987] WARN – : Input thread exception {"timestamp":"2012-02-19T22:33:23.556000 -0800","plugin":"LogStash::Inputs::Amqp: {\"type\"=>\"apache-access\", \"host\"=>\"172.17.112.98\", \"exchange\"=>\"fanout\", \"name\"=>\"rawlogs\", \"debug\"=>false, \"add_field\"=>{}, \"port\"=>5672, \"user\"=>\"guest\", \"password\"=><password>, \"key\"=>\"logstash\", \"vhost\"=>\"/\", \"passive\"=>false, \"durable\"=>false, \"auto_delete\"=>true, \"exclusive\"=>true, \"prefetch_count\"=>1, \"ack\"=>true, \"ssl\"=>false, \"verify_ssl\"=>false}","exception":"Error Reply Code: 406\nError Reply Text: PRECONDITION_FAILED - parameters for queue 'rawlogs' in vhost '/' not equivalent","backtrace":["file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/client08.rb:78:in `check_response'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/queue08.rb:46:in `initialize'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/gems/bunny-0.7.8/lib/bunny/client08.rb:294:in `queue'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/inputs/amqp.rb:118:in `run'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/agent.rb:631:in `run_input'","file:/home/jon1984/Applications/logstash_conf/logstash-1.1.0-monolithic.jar!/logstash/agent.rb:322:in `start_input'"],"message":"Input thread exception","level":"warn"}
E, [2012-02-19T22:33:23.569000 #5987] ERROR – : Restarting input due to exception {"timestamp":"2012-02-19T22:33:23.561000 -0800","plugin":"LogStash::Inputs::Amqp: {\"type\"=>\"apache-access\", \"host\"=>\"172.17.112.98\", \"exchange\"=>\"fanout\", \"name\"=>\"rawlogs\", \"debug\"=>false, \"add_field\"=>{}, \"port\"=>5672, \"user\"=>\"guest\", \"password\"=><password>, \"key\"=>\"logstash\", \"vhost\"=>\"/\", \"passive\"=>false, \"durable\"=>false, \"auto_delete\"=>true, \"exclusive\"=>true, \"prefetch_count\"=>1, \"ack\"=>true, \"ssl\"=>false, \"verify_ssl\"=>false}","message":"Restarting input due to exception","level":"error"}

My config file is as such:
input {
amqp {

  1. ship logs to the 'rawlogs' fanout queue.

  2. type => "all"
    type => "apache-access"
    host => "172.17.112.98"
    exchange => "fanout"
    name => "rawlogs"
    }
    #amqp {

  3. ship logs to the 'rawlogs' fanout queue.

  4. type => "all"
    #type => "apache-access"

  5. host => "10.19.200.181"

  6. port => "5672"

  7. exchange_type => "fanout"

  8. name => "rawlogs"
    #}
    }

filter {
grok {
type => "syslog" # for logs of type "syslog"
pattern => "%{SYSLOGLINE}"

  1. You can specify multiple 'pattern' lines
    }

grok {
type => "apache-access" # for logs of type 'apache-access'
pattern => "%{COMBINEDAPACHELOG}"
}
date {
type => "syslog"

  1. The 'timestamp' and 'timestamp8601' names are for fields in the

  2. logstash event. The 'SYSLOGLINE' grok pattern above includes a field

  3. named 'timestamp' that is set to the normal syslog timestamp if it

  4. exists in the event.
    timestamp => "MMM d HH:mm:ss" # syslog 'day' value can be space-leading
    timestamp => "MMM dd HH:mm:ss"
    timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format
    }

date {
type => "apache-access"
timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
}
}

output {
stdout { }

  1. If your elasticsearch server is discoverable with multicast, use this:

  2. elasticsearch { }

  1. If you can't discover using multicast, set the address explicitly
    elasticsearch {
    host => "172.17.112.98"
    port => "9300"
    cluster => "elasticsearch"
    }
    #elasticsearch { embedded => true }
    }

Somehow there is something wrong with the format of the date that is causing some error. I have followed the instructions found in http://logstash.net/docs/1.1.0/tutorials/getting-started-centralized in regards to the date format, so any body could help me out to see what exactly is wrong?

Thanks so much!

Jonathan

Activity

Show:
Jordan Sissel
February 20, 2012, 6:49 AM

The specific error is coming from your AMQP broker:

Error Reply Code: 406\nError Reply Text: PRECONDITION_FAILED - parameters for queue 'rawlogs' in vhost '/' not equivalent

This means that your broker has a configuration for the 'rawlogs' queue that is different than the one you are trying to use with logstash.

If you really don't know what this means, just use a different queue name or tell your broker to delete the queue and let logstash recreate it.

Jonathan Moo
February 20, 2012, 7:30 AM

Ok thanks Jordan! That solved my problem immensely.

Regards,
Jonathan

Philippe Weber
June 22, 2012, 2:37 PM

CanBeClosed
Jordan answered it

Assignee

Logstash Developers

Reporter

Jonathan Moo

Labels

None
Configure