[ERROR][logstash.pipeline] Error registering plugin when sending cloudwatch logs to my elastic cloud

rhader · July 1, 2019, 8:07pm

I am running logstash v6.8.1 on an aws ec2 linux 2 ami instance. I have installed logstash successfully.

I am using logstash to get logs from aws cloudwatch using this plugin https://github.com/lukewaite/logstash-input-cloudwatch-logs. I have installed the plugin successfully.

I am in /usr/share/logstash directory.

The command I use is sudo bin/logstash --path.settings /etc/logstash/ -f config/cloud_watch.conf

This is my cloud_watch.conf file

 input {
        cloudwatch_logs {
        log_group => [ "/my/log/group" ]
        region => "us-west-2"
        access_key_id => "access_key"
        secret_access_key => "secret_key"
        }
}
output {
        elasticsearch {
        hosts => "https://xxxxxxxx.us-west-1.aws.found.io:9243"
        user => "elastic"
        password => "my_password"
        }
    stdout { }
}

When I run this command I get this error message

Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2019-07-01T19:33:17,229][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-07-01T19:33:17,261][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.8.1"}
[2019-07-01T19:34:05,286][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-07-01T19:34:06,506][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx@41e8f9885e01498aaa03909926286fc9.us-west-1.aws.found.io:9243/]}}
[2019-07-01T19:34:07,754][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://elastic:xxxxxx@41e8f9885e01498aaa03909926286fc9.us-west-1.aws.found.io:9243/"}
[2019-07-01T19:34:08,126][ERROR][logstash.pipeline        ] Error registering plugin {:pipeline_id=>"main", :plugin=>"#<LogStash::OutputDelegator:0x6d3bd20a>", :error=>"Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')\n     
at [Source: (byte[])\"<!DOCTYPE html><html lang=\"en\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"><meta name=\"viewport\" content=\"width=device-width\"><title>Kibana</title><style>/* INTER UI FONT */\n/
* INTER UI FONT */\n/* INTER UI FONT */\n/* INTER UI FONT */\n@font-face {\n  font-family: 'Inter UI';\n  font-style:  normal;\n  font-weight: 100;\n  src: url(\"/ui/fonts/inter_ui/Inter-UI-Thin-BETA.woff2\") format(\"woff2\"),\n      url(\"/ui/fonts/inter_ui/Inter-UI-Thin-BETA.woff\") format\"[truncated 73333 bytes]; line: 1, column: 2]", :thread=>"#<Thread:0x66dd4fdf run>"}
[2019-07-01T19:34:08,136][ERROR][logstash.pipeline        ] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (byte[])"<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width"><title>Kibana</title><style>/* INTER UI FONT */
/* INTER UI FONT */
/* INTER UI FONT */
/* INTER UI FONT */
@font-face {
  font-family: 'Inter UI';
  font-style:  normal;
  font-weight: 100;
  src: url("/ui/fonts/inter_ui/Inter-UI-Thin-BETA.woff2")     format("woff2"),

The error message goes on for quite a few lines.

When I modify my cloudwatch.conf to this

input {
        cloudwatch_logs {
        log_group => [ "/my/log/group" ]
        region => "us-west-2"
        access_key_id => "access_key"
        secret_access_key => "secret_key"
        }
}
output {
    stdout { }
}

I can see new logs coming into my log stream in my cli console. I know the plugin is working properly. BUT when I attempt to send those logs to my elastic cloud I get the error mentioned above. I have no idea what is happening.

Christian_Dahlqvist · July 1, 2019, 8:14pm

It looks to me like you have specified the Kibana URL instead of the Elasticsearch one.

rhader · July 1, 2019, 8:16pm

I indeed have specified the kibana url. Am I not supposed to????

This is my elastic cloud url
https://cloud.elastic.co/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5

Am I supposed to use that???

When I plug that url into my cloud_watch.conf file I get this error message

[2019-07-01T20:24:11,209][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-07-01T20:24:11,241][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.8.1"}
[2019-07-01T20:24:58,522][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-07-01T20:24:59,667][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx@cloud.elastic.co:9200/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5]}}
[2019-07-01T20:25:10,294][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@cloud.elastic.co:9200/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@cloud.elastic.co:9200/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5][Manticore::ConnectTimeout] connect timed out"}
[2019-07-01T20:25:10,366][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://cloud.elastic.co/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5"]}
[2019-07-01T20:25:11,396][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x49458a34 run>"}
[2019-07-01T20:25:11,561][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-07-01T20:25:12,495][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-07-01T20:25:25,375][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@cloud.elastic.co:9200/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@cloud.elastic.co:9200/region/us-west-1/deployment/14cd864e9d8e46f58feedb8e91da22b5][Manticore::ConnectTimeout] connect timed out"}

Christian_Dahlqvist · July 1, 2019, 8:30pm

If you look under Elasticsearch in the deployment screen you will find a different url which you should use.

rhader · July 1, 2019, 8:42pm

Yes, that solved my issue!!! Thank you very much!

system · July 29, 2019, 8:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.