Error Connecting Logstash to Found Elasticsearch

ScottLawrenceLawson · July 9, 2015, 6:21am

I am a total newbie to ELK stack and am following along with this tutorial (https://www.found.no/foundation/analyzing-weblogs-with-elasticsearch/) on my Win7 Laptop. I installed all bits and got LS working with the basic examples and now am trying to connect to my Found ES instance. I made the example .conf file and when I run this command "$ bin/logstash agent --verbose -f found.conf" at the end I get the error: "message=>"Failed to install template: connect timed out", :level=>:error".

Do I need to install a template and if so what do I do there? Thanks, apologies for the basic questions but could not find info about it.

Christian_Dahlqvist · July 9, 2015, 11:06am

What does your found.conf file look like?

ScottLawrenceLawson · July 9, 2015, 2:24pm

Here is is below. I got this from the "how to" article. I obscured the host name while posting here. The article did not specify exactly what part of the hostname to put in, I tired several combinations of the name with the "..aws.found.io" with and without it. Seemed to make no difference. Thanks!

===========================

input { stdin{} }

output {
elasticsearch {
protocol => http
host => a6793c . . . facd8e7
port => 9243 # Check the port also
ssl => true
}

stdout { codec => rubydebug }
}

warkolm · July 10, 2015, 2:11am

It's probably because your host value doesn't look right.

ScottLawrenceLawson · July 10, 2015, 4:16am

I am sure that is the reason, but I cannot find any reference to tell me how the .conf file should be formatted. Can you help me find that? I know ES in Found is new . . .

I have tried:

https:/ /a6793--OBSCURED--cd8e7.us-east-1.aws.found.io:9243
Just the URI (no port)
Element separated into value pairs as shown in the tutorial
And many other combinations

Any help is deeply appreciated!

warkolm · July 10, 2015, 4:30am

You should have something like host => foundclusterid-awsregion.foundcluster.com, not host => a6793c . . . facd8e7.
Also, do you have ACLs setup>

This is how you format the config for that output - https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

ScottLawrenceLawson · July 10, 2015, 4:54am

Hi. The " . . . " was simply to obscure my cluster ID. My full filename.conf file is this below:

input { stdin{} }

output {
  elasticsearch {
    protocol => http
    host => a6783cxxx.us-east-1.aws.found.io
    port => 9243
    ssl => true
}

stdout { codec => rubydebug }
}

But that does not work. I get this error:

Error: Expected one of #, {, } at line 6, column 45 (byte 112) after output {
  elasticsearch {
    protocol => http
    host => a6783cxxx

I do not have ACLs setup yet, as I am just trying to get this test working as simple as possible.

The URL you provide is nice, but it talks about how to format the conf file for locally installed ES, not the ES Found in the clous which requires a different port and format. I tried to just put the whole string for my Found cluster in the conf file and outside of a conf file (using the "-e" parameter, but that did not work either.

Any help is appreciated!! -Scott

warkolm · July 10, 2015, 4:58am

You need quotes around various things, check the docs that I linked to.

ScottLawrenceLawson · July 10, 2015, 5:13am

OK! Thanks, Mark, finally! The "Host =>" section needed the whole hostname and it needed quotes around it. I guess because of the dot separators (.) in the URL. I will comment to the author of the tutorial to make this explicit. Many thanks for the help!