ELK Stack upgraded, and logstash is not sending data to elasticsearch

bsmitty111 · May 2, 2016, 7:42pm

Hello,

I am very new to ELK, and inherited this environment. this is not rolled out to production.

I have the following servers:
logstash index server version 2.3
logstash shipping server version 2.3
elasticserach cluster (3 servers 2 data 1 master) version 2.3.2
kibana web version 4.5

this was all working, until i upgraded all to the latest version.
now the logs never seem to get to elastic search, all of the services are running,

I am unclear as to where to begin troubleshooting this.

Any help would be greatly appreciated.

Thank you!

warkolm · May 2, 2016, 10:37pm

Have you looked at the logs for each of the applications to make sure everything is ok?

bsmitty111 · May 3, 2016, 11:18am

warkolm,
thank you for the reply
I am not sure where the logs are for all of the services,
but I have checked the following.

I have checked the logfile for the logstash shipping and I see an error

{:timestamp=>"2016-05-02T15:36:06.941000-0400", :message=>"Error parsing json", :source=>"message", :raw=>"{"EventTime":"2016-05-02 15:35:57\

it looks like the logstash indexer has new events,

May 03 07:09:56 SERVER logstash[18215]: =>"system", "UserID"=>"SYSTEM", "AccountType"=>"User", "Opcode"=>"Info", "optionCode"=>"34", "optionName"=>"WSMAN_OPTION_USE_INTEARACTIVE_TOKEN", "optionValue"=>"0", "tags"=>["_grokparsefailure"], "FileName"=>nil, "source_host"=>"SERVER.mydomain", "eventlog_severity"=>"info", "eventlog_severity_code"=>2,

bsmitty111 · May 3, 2016, 1:13pm

I have restarted the logstash service on my index node, and I have an error in the log of

:message=>"Failed action. ", :status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2016.05.03",

bsmitty111 · May 3, 2016, 2:33pm

nevermind I got this all fixed bu rebooting all of the servers .