How Do You Troubleshoot the Logstash (or Elastic Stack) Error “logging.log4j.core.appender.RollingFileAppender”?

Problem scenario
You try to start Logstash but you get this error: "main ERROR Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: "

What should you do?

Solution
Do one of the two options below.

#1  Solution (rather simple, for a one-time fix)
Do not start the process with the root or some other regular user.  Start the Logstash service with a user dedicated for Elastic Stack.  There should be a user that is dedicated for Elastic Search and Logstash.  Become that user:

sudo su -
su elasticuser

(Replace "elasticuser" with the user dedicated for Elastic Stack.)

Now start the logstash service.

#2  Solution (more complex, for a permanent solution)
1.  You may want to create a logstash.service file in /etc/systemd/system/.  Here is a template of the file; replace esu with the Elastic Stack user; replace esg with the Elastic Stack group; replace "/opt/logstash/config/" with the path to the startup.options file; and replace other options as needed:

[Unit]
Description=logstash

[Service]
Type=simple
User=esu
Group=esg

EnvironmentFile=/opt/logstash/config/startup.options
ExecStart=/opt/logstash "-f" "/opt/logstash/config/logstash-simple.conf"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

2.  You will need to run this command after you create it (or reboot the server): sudo systemctl daemon-reload

3.  Now you can run this command: sudo systemctl start logstash

Starting Logstash this way will always start with the user context of the dedicated ElasticStack user.

Leave a comment

Your email address will not be published. Required fields are marked *