"Attempted to resurrect connection to dead ES instance, but got an error." Error, it worked before. What is wrong now?

Elastic Stack Logstash
1

settings%20%3Aetc%3Alogstash%3A%20(ssh)%202019-04-07%2019-13-34
1. sudo :usr:share:logstash:bin:logstash -f --path.settings :etc:logstash: (ssh) 2019-04-07 19-13-34.png3016×1736 695 KB

Hello,

I know that the device which is host to Logstash can ping to the device which is host to Kibana and Elasticsearch. I once parsed syslog using logstash to elasticsearch. Now I need to parse json file (suricata data) and now I get this error as seen on the picture. The configuration file of logstash is following:

input {
file {
path => ["/home/tony2/Desktop/sample_data/eve.json"]
codec => json
type => "SuricataIDPS"
}

}

filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}

if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}

output {
elasticsearch {
hosts => ["176.16.4.12:9200"]
stdout {codec => rubydebug }
}
}

2

Did you verify that the ES instance is actually running? That you once used it to parse syslog does NOT imply that it is running now. And pinging does not imply that you can reach it on tcp port 9200 either.
And PLEASE don't post images. Copy the text and post it properly formatted.

1 Like
3

Hello,

Thank you for your reply. Yes I did write curl -XGET 174.16.4.12:9200 and it returned me with the correct output.

P.s. sorry for the picture.

4

And why do you have stdout as part of the elasticsearch output? Align and format the code.. Placed the } wrong?

5

The stdout has # in front of it in the original file... I guess I copy/pasted it wrong here. Nevertheless it’s not working. I don’t have suricata installed (yet), however those logs are sample logs on different device, that actually have suricata. Does that matter at all though?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.