Elasticsearch Cluster not reachable by Logstash

vilas · July 27, 2015, 10:45pm

Hi,

I am using cluster name in logstash elasticsearch output plugin.
But it is failing to send data to the cluster. Nevertheless, I could reach the server when I specify the hostname.

I would like to know if I have to change something for cluster name to work.

Thanks.

warkolm · July 27, 2015, 11:10pm

It helps if you paste your config.

vilas · July 28, 2015, 4:08pm

Hi @warkolm ,
My config:

output {
        elasticsearch {
                #host => "abc.xyz.com"
                cluster => "elasticsearch.prod"
                protocol => "http"
                index => "logstash-%{+YYYY.MM.dd}"
        }
}

The code works only when I uncomment host line.

warkolm · July 28, 2015, 9:41pm

That's expected, how else will it know where it needs to connect to?

vilas · July 28, 2015, 9:43pm

I thought it would resolve the host names based on the cluster name and connect any one of them.
Isn't it the way?

warkolm · July 28, 2015, 9:45pm

Only with multicast protocols - node or transport.

vilas · July 28, 2015, 9:46pm

Okay. Logstash and Elasticsearch combination work any differently if I change to these protocols?
I see that http is generally recommended.

warkolm · July 28, 2015, 9:51pm

No, it'll all work.

vilas · July 28, 2015, 10:02pm

I tried reading about the protocols. But not sure I understand when should I use which protocol?

warkolm · July 28, 2015, 10:07pm

https://www.elastic.co/guide/en/elasticsearch/guide/current/_transport_client_versus_node_client.html may help.

But I find it's easier to just stick with HTTP

vilas · July 28, 2015, 11:12pm

@warkolm
But with HTTP, I am unable to use only cluster name.

Also, I observed one thing though, when I have both cluster name and hostname then even if the elasticsearch host goes down, the logstash still is alive. Can you explain that?

warkolm · July 28, 2015, 11:18pm

If you use HTTP you need to specify the host only, clustername is irrelevant.

If you don't specify any protocol then it uses node by default, and all you need there is the clustername.

vilas · July 28, 2015, 11:22pm

As I understand from the link you shared above, node protocol works when the application is running from one of the Elasticsearch nodes only.

My concern is about a remote server trying to send data to ES using logstash. And don't want to hardcode the hostname, as we might need to bounce it now and then. And Logstash should use other servers in the cluster in that time. Can I do this?

warkolm · July 28, 2015, 11:24pm

Put an ES client node on the LS host, then point LS to localhost is a good idea.

vilas · July 28, 2015, 11:27pm

Yeah I thought through this. I don't want anything other than a shipping agent/logstash to work on that remote host. I don't want to maintain ES on the remote.

warkolm · July 28, 2015, 11:28pm

Specify an array of nodes in the host setting.
Or use a DNS cname that points to multiple end points.

No matter what you chose there is overhead, you cannot get around that

vilas · July 28, 2015, 11:29pm

I can use that I guess and live with the overhead

vilas · July 28, 2015, 11:34pm

I checked that host setting is a string in Logstash 1.4 and array in 1.5.