Connecting logstash to remote elasticsearch running on https with no port specified

Yahia-M · April 23, 2023, 6:07pm

Hello ,
i am running Elasticsearch on a website called Cloud IDE gitpod. Once i start the docker image on the gitpod,

docker-compose up --build

Elasticsearch will start successfully i get a full https public url to access the service. No PORT will be given in the end:

[type or paste code here](https://9200-xxxx.gitpod.io/)

It fails with Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://9200-xxxx.gitpod.io:9200/", :exception=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://9200-xxxx.gitpod.io:9200/][Manticore::ConnectTimeout]

Not sure why logstash is looking for https://9200-xxxx.gitpod.io:9200

 [INFO ][logstash.runner          ] Log4j configuration path used is: /usr/share/logstash/config/log4j2.properties
 [INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.7.0", "jruby.version"=>"jruby 9.3.10.0 (2.6.8) 2023-02-01 107b2e6697 OpenJDK 64-Bit Server VM 17.0.6+10 on 17.0.6+10 +indy +jit [x86_64-linux]"}
 [INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dls.cgroup.cpuacct.path.override=/, -Dls.cgroup.cpu.path.override=/, -Xmx256m, -Xms256m, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
 [WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
 [WARN ][logstash.monitoringextension.pipelineregisterhook] xpack.monitoring.enabled has not been defined, but found elasticsearch configuration. Please explicitly set `xpack.monitoring.enabled: true` in logstash.yml
 [WARN ][deprecation.logstash.monitoringextension.pipelineregisterhook] Internal collectors option for Logstash monitoring is deprecated and targeted for removal in the next major version.
 Please configure Metricbeat to monitor Logstash. Documentation can be found at: 
 https://www.elastic.co/guide/en/logstash/current/monitoring-with-metricbeat.html
 [INFO ][logstash.licensechecker.licensereader] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
 [WARN ][logstash.licensechecker.licensereader] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
 [INFO ][logstash.licensechecker.licensereader] Elasticsearch version determined (8.7.0) {:es_version=>8}
 [WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
 [INFO ][logstash.monitoring.internalpipelinesource] Monitoring License OK
 [INFO ][logstash.monitoring.internalpipelinesource] Validated license for monitoring. Enabling monitoring pipeline.
 [INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
 [ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [^\\r\\n], \"\\r\", \"\\n\" at line 19, column 4 (byte 338) after # }", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:911:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}
 [INFO ][org.reflections.Reflections] Reflections took 90 ms to scan 1 urls, producing 132 keys and 462 values
 [INFO ][logstash.javapipeline    ] Pipeline `.monitoring-logstash` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
 [INFO ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearchMonitoring", :hosts=>["http://elasticsearch:9200"]}
 [INFO ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
 [WARN ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"}
 [INFO ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] Elasticsearch version determined (8.7.0) {:es_version=>8}
 [WARN ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
 [WARN ][logstash.outputs.elasticsearchmonitoring][.monitoring-logstash] Elasticsearch Output configured with `ecs_compatibility => v8`, which resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common Schema. Once ECS v8 and an updated release of this plugin are publicly available, you will need to update this plugin to resolve this warning.
 [WARN ][logstash.javapipeline    ][.monitoring-logstash] 'pipeline.ordered' is enabled and is likely less efficient, consider disabling if preserving event order is not necessary
 [INFO ][logstash.javapipeline    ][.monitoring-logstash] Starting pipeline {:pipeline_id=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2, "pipeline.sources"=>["monitoring pipeline"], :thread=>"#<Thread:0x4a5a1332@/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
 [INFO ][logstash.javapipeline    ][.monitoring-logstash] Pipeline Java execution initialization time {"seconds"=>0.39}
 [INFO ][logstash.javapipeline    ][.monitoring-logstash] Pipeline started {"pipeline.id"=>".monitoring-logstash"}
 [INFO ][logstash.javapipeline    ][.monitoring-logstash] Pipeline terminated {"pipeline.id"=>".monitoring-logstash"}
 [INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:".monitoring-logstash"}
 [INFO ][logstash.runner          ] Logstash shut down.

when Elasticsearch is running.

https://9200-xxxx.gitpod.io:9200 does not resolve on gitpod. As we cannot use ports . It gives directly https url internally port forward will be done.

Badger · April 23, 2023, 6:24pm

OK, so you are running logstash with the -f option to tell it where to find the pipeline configuration. There is a syntax error in that configuration. What does the configuration look like?

Yahia-M · April 23, 2023, 6:41pm

@Badger that 's my docker-compose file

services:
  Elasticsearch:
    image: elasticsearch:8.7.0
    container_name: elasticsearch
    restart: always
    volumes:
    - elastic_data:/usr/share/elasticsearch/data/
    environment:
      XPACK_MONITORING_ENABLED: false
      xpack.security.enabled: false
      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
      discovery.type: single-node
      network.host: "0.0.0.0" 
    ports:
    - '9200:9200'
    - '9300:9300'
    networks:
      - elk

  Logstash:
    image: logstash:8.7.0
    container_name: logstash
    restart: always
    volumes:
    - ./logstash/:/logstash_dir
    - ./input:/input
    - ./output:/output
    command: logstash -f /logstash_dir/logstash.conf 
    depends_on:
      - Elasticsearch

    ports:
    - '9600:9600'
    environment:
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
    networks:
      - elk

my pipeline conf is :

input {
  file {
    path => "/input/inlog.log"
  }
}

# output {
#  file {
#    path => "/output/message.txt"
#    codec => line { format => "custom format: %{message}"}
#  }
# }

output {
   elasticsearch {
    hosts => ["https://9200-xxxx.gitpod.io:9200/"]
    index => "my-index-%{+YYYY.MM.dd}"
    ecs_compatibility => disabled
  }
}

Badger · April 23, 2023, 7:12pm

That doesn't make sense. The error message says line 19 is '# }', but that's not true of that configuration.

psramkumar · April 25, 2023, 3:31pm

when you use https use port as 443
eg. https://9200-xxxx.gitpod.io:443/

system · May 23, 2023, 3:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.