I'm starting to transition from some old Elasticsearch servers (running v1.6) to a new cluster (running 5.4.1). As part of doing so, I've configured my existing Logstash servers (running logstash 1.5) to send logs to both old and new clusters using the http protocol. This is mostly working just fine with one exception - most of the logs have times like "2017-07-04T20:47:39,251+0000" in the raw log and index into both new and old ES clusters just fine. But some logs have times like "2017-07-04 20:51:43,214" in the raw log - missing the "+0000". These logs index into the OLD cluster just fine, but fail to get into the NEW cluster. The error log message saying that they've failed to get ingested gets ingested just fine - they look like :
{:timestamp=>"2017-07-04T21:04:36.927000+0000", :message=>"failed action with response of 400, dropping action: ["index", {:_id=>nil, :_index=>"test-2017.07.04", :_type=>"XXXXXXXX", :_routing=>nil}, #<LogStash::Event:0x78f67e77 @metadata_accessors=#<LogStash::Util::Accessors:0x1f94b385 @store={"retry_count"=>0}, @lut={}>, @cancelled=false, @data={"message"=>"2017-07-04 20:56:12,683 - XXXXXXXXXXXXXX", "@version"=>"1", "@timestamp"=>"2017-07-04T20:56:12.683Z", "file"=>"/var/log/XXXXXXXX.log", "host"=>"XXXXXXXX", "offset"=>"56170", "type"=>"XXXXXXXX", "time"=>"2017-07-04 20:56:12,683", "loglevel"=>"INFO", "msg"=>"XXXXXXXX", "facility"=>"XXXXXXXX", "received_at"=>"2017-07-04T20:56:14.473Z", "tags"=>["mutated", "date_changed"]}, @metadata={"retry_count"=>0}, @accessors=#<LogStash::Util::Accessors:0x2c51d543 @store={"message"=>"XXXXXXXX", "@version"=>"1", "@timestamp"=>"2017-07-04T20:56:12.683Z", "file"=>"/XXXXXXXX", "host"=>"XXXXXXXX", "offset"=>"56170", "type"=>"XXXXXXXX", "time"=>"2017-07-04 20:56:12,683", "loglevel"=>"INFO", ....
Any ideas what the problem might be? I can't easily change the format of these log messages.