Hey Guys
I'm currently running into an issue where i see the following messages in logstash:
Marking url as dead. Last error: [LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError] Elasticsearch Unreachable: [https://logstash_writer:xxxxxx@xxx:9200/][Manticore::SocketTimeout] Read timed out {:url=>https://logstash_writer:xxxxxx@xxx:9200/, :error_message=>"Elasticsearch Unreachable: [https://logstash_writer:xxxxxx@xxx:9200/][Manticore::SocketTimeout] Read timed out", :error_class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError"}
I've figured out that those messages are caused by an idle timeout on our firewall which is set to 1 hour. If found the following settings in the documentation:
https://www.elastic.co/guide/en/elasticsearch/reference/7.10/modules-http.html
http.tcp.keep_idle: Defaults to network.tcp.keep_idle , which uses the system default. This value cannot exceed 300 seconds. (Couldn't find it in the 7.8 reference that our cluster is running)
And I'm not sure if it is the right setting for me (can't just change the setting as it the production cluster) Default on my Linux system is 7200 seconds
# cat /proc/sys/net/ipv4/tcp_keepalive_time 7200
Does this mean that although the default value on my system is 7200, thath http.tcp.keep_idle will be only 300?
Best regards
Mike