configuration filebeat #logstash:
# The Logstash hosts
hosts: ["10.0.0.45:5044","10.0.0.30:5044"]
# Number of workers per Logstash host.
worker: 2
# Optional load balance the events between the Logstash hosts
loadbalance: true
# Optional index name. The default index name depends on the each beat.
# For Packetbeat, the default is set to packetbeat, for Topbeat
# top topbeat and for Filebeat to filebeat.
#index: filebeat
# Optional TLS. By default is off.
#tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
#certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#certificate_key: "/etc/pki/client/cert.key"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
#insecure: true
# Configure cipher suites to be used for TLS connections
#cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#curve_types: []
File as output
Configuration logstash #Input logstash
input {
file {
type => "syslog"
path => [ "/var/log/messages", "/var/log/*.log" ]
tags => [ "syslog" ]
}
tcp {
port => 514
type => syslog
tags => [ "syslog" ]
}
udp {
port => 514
type => syslog
tags => [ "syslog" ]
}
tcp {
port => 12530
type => syslog
tags => [ "netcat" ]
}
udp {
port => 12530
type => syslog
tags => [ "netcat" ]
}
snmptrap {
port => 162
type => 'snmptrap'
host => "0.0.0.0"
yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs/"
tags => [ "snmptrap" ]
}
redis {
key => phplogs
data_type => ['list']
}
beats {
port => 5044
tags => [ "filebeat" ]
}
}
Now I have much following error message ... {:timestamp=>"2016-01-13T14:40:31.047000+0100", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :level=>:warn}
what does it mean ? {:timestamp=>"2016-01-13T16:27:04.380000+0100", :message=>"Beats input: The circuit breaker has detected a slowdown or stall in the pipeline, the input is closing the current connection and rejecting new connection until the pipeline recover.", :exception=>LogStash::CircuitBreaker::HalfOpenBreaker, :level=>:warn}
it is one of the outputs, I have many more, it was an example
after a few minutes of operation I have the following message
{:timestamp=>"2016-01-13T16:35:53.392000+0100", :message=>"CircuitBreaker::rescuing exceptions", :name=>"Beats input", :exception=>LogStash::SizedQueueTimeout::TimeoutError, :level=>:warn}
{:timestamp=>"2016-01-13T16:35:53.394000+0100", :message=>"Beats input: The circuit breaker has detected a slowdown or stall in the pipeline, the input is closing the current connection and rejecting new connection until the pipeline recover.", :exception=>LogStash::CircuitBreaker::HalfOpenBreaker, :level=>:warn}
Well, as I said the error message indicates that at least one output is having trouble which slows down the whole Logstash pipeline. With the information at hand I have nothing more to add.
With all outputs being affected by only one small output I'm not sure if you can easily debug this from logstash. Maybe people in logstash sub-forum have a better solution.
You basically have to single out the connections slowing down logstash.
some debugging in logstash:
remove(comment out) all outputs and addnull output. If problem persists, filters are too slow (consider adding more filter workers?)
remove null output and enable first output. If problem persists, remove output and try another one
add outputs one after another until LS gets to slow. If LS gets to slow disable last one added and try another one.
Always check resource usage CPU/memory when adding more outputs. Maybe one output is too slow, or you've got too many outputs slowing down logstash in general.
If you've got too many outputs, try to disable/enable in groups first.
Once you singled-out one or two outputs check the target (e.g. mysql server) for possible optimizations.
Maybe you've got too many inputs too and try to process to many events overall in one logstash instance. Maybe your machine is not properly sized for your workload.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.