Problem scenario
You try to start Logstash but you get this error: "main ERROR Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: "
What should you do?
Solution
Do one of the two options below.
#1 Solution (rather simple, for a one-time fix)
Do not start the process with the root or some other regular user. Start the Logstash service with a user dedicated for Elastic Stack. There should be a user that is dedicated for Elastic Search and Logstash. Become that user:
sudo su -
su elasticuser
(Replace "elasticuser" with the user dedicated for Elastic Stack.)
Now start the logstash service.
#2 Solution (more complex, for a permanent solution)
1. You may want to create a logstash.service file in /etc/systemd/system/. Here is a template of the file; replace esu with the Elastic Stack user; replace esg with the Elastic Stack group; replace "/opt/logstash/config/" with the path to the startup.options file; and replace other options as needed:
[Unit]
Description=logstash
[Service]
Type=simple
User=esu
Group=esg
EnvironmentFile=/opt/logstash/config/startup.options
ExecStart=/opt/logstash "-f" "/opt/logstash/config/logstash-simple.conf"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
2. You will need to run this command after you create it (or reboot the server): sudo systemctl daemon-reload
3. Now you can run this command: sudo systemctl start logstash
Starting Logstash this way will always start with the user context of the dedicated ElasticStack user.