Breaking up ELK stack to individual machines

tinle · December 26, 2015, 4:09pm

I understand the frustration. I've gone through it with the ELK stack The early documentation leaves much to be desired (I started with v0.19 Elasticsearch and don't remember what version of logstash at that time).

So, did using 0.0.0.0 work? If vSphere is similar to other VM software, then how is its network stack and DNS configured? Is it configured to use NAT or bridge?

AFAIK, when a VM is config to use NAT, then it plays funny games with routing and DNS resolution for the VM that it started. Since I have no experience with vSphere, this is about as far I can go with helping

jmillerparaport · December 28, 2015, 5:23pm

Woah! That seems to have maybe done the trick. I need to test more but its looking promising. Thanks a lot!

jmillerparaport · December 28, 2015, 6:36pm

Well, I can curl it externally at least...

Logstash is still having issue connecting it seems. Here are the logs:

{:timestamp=>"2015-12-28T10:32:04.858000-0800", :message=>"Failed to flush outgoing items", :outgoing_count=>1, :exception=>org.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];, :backtrace=>["org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(org/elasticsearch/cluster/block/ClusterBlocks.java:151)", "org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(org/elasticsearch/cluster/block/ClusterBlocks.java:141)", "org.elasticsearch.action.bulk.TransportBulkAction.executeBulk(org/elasticsearch/action/bulk/TransportBulkAction.java:215)", "org.elasticsearch.action.bulk.TransportBulkAction.access$000(org/elasticsearch/action/bulk/TransportBulkAction.java:67)", "org.elasticsearch.action.bulk.TransportBulkAction$1.onFailure(org/elasticsearch/action/bulk/TransportBulkAction.java:153)", "org.elasticsearch.action.support.TransportAction$ThreadedActionListener$2.run(org/elasticsearch/action/support/TransportAction.java:137)", "java.util.concurrent.ThreadPoolExecutor.runWorker(java/util/concurrent/ThreadPoolExecutor.java:1145)", "java.util.concurrent.ThreadPoolExecutor$Worker.run(java/util/concurrent/ThreadPoolExecutor.java:615)", "java.lang.Thread.run(java/lang/Thread.java:745)"], :level=>:warn}
    {:timestamp=>"2015-12-28T10:33:05.863000-0800", :message=>"Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];", :level=>:error}

tinle · December 29, 2015, 12:20am

Woot! One step forward

Where is logstash running? On same VM or external to VM? What version? Are you using HTTP or transport protocol?

jmillerparaport · December 29, 2015, 5:02pm

So after a bit of research yesterday I found the "protocol" setting for the output and set that to "http" as opposed to it defaulting to "node" I believe. That seems to have cleared the Logstash issues up. Now on to Kibana! Thanks again!