Events are lost when elasticsearch output is temporary unavailable

Wolfram_Haussig · May 6, 2021, 8:23am

Hi,

Good to know that the suggestions work.

I think that the storage overhead in LogStash is to be expected:

Elasticsearch compresses data by default (see details here) while LogStash does not store the queue compressed (I think)
LogStash stores metadata from each input/output/filter in each event. This contains for example the source ip for beats input. You can view the metadata for example by writting all events including metadata to a file (see details here: How to access the value in the logstash metadata - #2 by Christian_Dahlqvist).

Best regards
Wolfram

Topic		Replies	Views
Beats & Logstash - What happens if logstash goes offline? Beats	3	381	May 27, 2020
Logstash pipelines reduces the number of events sent Logstash	2	536	April 27, 2022
Not all logs are being sent on ES, requests are timing out Elasticsearch	1	345	November 25, 2021
Metricbeat to logstash tcp i/o errors - 5.4.1 Beats metricbeat	9	1035	July 20, 2017
Delay between Logstash and ES? ELK 7.16.1 [ECK] Logstash	16	2250	March 14, 2022