Error while connecting logstash to elasticsearch : Attempted to resurrect connection to dead ES instance, but got an error

abhay14 · January 27, 2023, 12:14pm

logstash | [2023-01-27T11:56:05,943][INFO ][logstash.javapipeline ][.monitoring-logstash] Pipeline started {"pipeline.id"=>".monitoring-logstash"}
logstash | [2023-01-27T11:56:05,956][INFO ][logstash.agent ] Pipelines running {:count=>2, :running_pipelines=>[:main, :".monitoring-logstash"], :non_running_pipelines=>}
logstash | [2023-01-27T11:56:06,191][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

logstash | [2023-01-27T12:09:23,612][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://127.0.0.1:9200/", :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://127.0.0.1:9200/'"}

leandrojmp · January 27, 2023, 1:03pm

Hello and welcome to the community,

Please describe your issue, jsut pasting the log error do not give any context about your issue.

"Got response code '401' contacting Elasticsearch at URL 'http://127.0.0.1:9200/'"

The error is pretty clear, you have an authorization issue, check your username and password, also, remove the / in the end of the host, not sure if this can lead to some issue, but you do not need it at the end.

abhay14 · January 29, 2023, 4:57am

I haven't defined 127.0.0.1:9200 anywhere in the logstash..yaml and config file.
Also In the logs I am to able see logstash is able to make the connection with ip the of the host (100.2.X.X:9200) . But after that somehow this 127.0.0.1 is getting added in the pool and then trying to make the connection with this .. which I am not able to figured it out.
NOTE : this issue I am getting after I have added basic authentication in ELK , And I verified I am giving the correct credentials in logstash , even I verified manually also , you can see it is able to authenticate with the actual IP of the host.

Badger · January 29, 2023, 5:14am

It sounds like you have legacy xpack monitoring enabled. You have two pipelines -- main (your pipeline) and monitoring-logstash. I believe that is xpack. See here. The default address to which monitoring information is sent is localhost. So if you require authorisation then that will also require authorisation.

abhay14 · January 29, 2023, 7:39am

could you please elaborate , what do u mean by "if you require authorisation then that will also require authorisation." ,
Do u mean I need it add 127.0.0.1 in the hosts list in the yaml and conf file.
Thanks In Advance

Badger · January 29, 2023, 5:46pm

I am saying that if you have added "basic authentication in ELK" then you need to configure a username and password for xpack. See the fourth item in the documentation I linked to.

abhay14 · January 30, 2023, 3:49am

That I have already added in both yaml and conf file. Also I can see logstash is able to authenticate with the ip of the host machine, but after that it is trying to connect with 127.0.0.1 then the above error throwing

abhay14 · January 30, 2023, 7:33am

Issue resolved by adding eslatic user name password in conf file

abhay14 · January 30, 2023, 7:33am

Elastic username and password worked

system · February 27, 2023, 7:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.