Withoutdocker ( the original poster is / was using docker )
$ dpkg -l logstash | grep ^ii
ii logstash 1:7.5.2-1 all An extensible logging pipeline
$ dpkg -l elasticsearch | grep ^ii
ii elasticsearch 7.5.2 amd64 Distributed RESTful search engine built for the cloud
$ dpkg -l kibana | grep ^ii
ii kibana 7.5.2 amd64 Explore and visualize your Elasticsearch data
and at client side
$ dpkg -l journalbeat | grep ^ii
ii journalbeat 7.5.2 amd64 Journalbeat ships systemd journal entries to Elasticsearch or Logstash.
Okay thanks.
I had the stack running on docker perfectly fine with the version 7.5.1.
This specific error started to appear when I switched to 7.5.2.
I had changed nothing to the configuration of anything from the stack.
I suggest you try rolling back to 7.5.1 and see what happens.
Changed journalbeat side. Sharing that modification and my thoughts about it here.
Your review is appreciated.
commit 8add1b95454f19ca87eda22849a36054e01d39d6
Author: Geert Stappers <stappers@hendrikx-itc.nl>
Date: Fri Feb 7 11:46:33 2020 +0100
Patience to journalbeat
Set time-out of journalbeat to 90*60 seconds.
At logstash side is "client idle time-out" set to 75*60 seconds.
Those seventy-five minutes idle-time-out are one hour plus a quarter.
The hour is based on that clients talk at least once a hour to logstash.
(the extra quarters are indeed a fat margin)
What the effect of the 90*60, 5400, seconds patience is
when there is no logstash server is UNKNOWN.
This change prevents (suppresses?)
ERROR logstash/async.go:256 Failed to publish events caused by: read tcp journalbeatclient:43108->logstashserver:5044: i/o timeout
ERROR logstash/async.go:256 Failed to publish events caused by: client is not connected
ERROR pipeline/output.go:121 Failed to publish events: client is not connected
as detected (triggered?) by the journalbeat client.
Why this time-out setting is needed after several month with a need,
is UNKNOWN.
diff --git a/salt/srv/salt/core/etc/journalbeat/journalbeat.yml b/salt/srv/salt/core/etc/journalbeat/journalbeat.yml
index 5164f0d0..19eb5f3e 100644
--- a/salt/srv/salt/core/etc/journalbeat/journalbeat.yml
+++ b/salt/srv/salt/core/etc/journalbeat/journalbeat.yml
@@ -127,6 +127,9 @@ setup.kibana:
output.logstash:
# The Logstash hosts
hosts: ["minerva-logserver:5044"]
+ # and have patience with those hosts
+ timeout: 5400 # seconds
+ # (see also the commit message from 2020-02-07)
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
I actually found increasing timeouts in logstash and filebeat did not fix it for me - after spending a few days on this, I have found this is due to a bug in the Beats input of Logstash: https://github.com/elastic/logstash/issues/11540
I resolved it by upgrading my ELK stack to 7.6.0 but you can just upgrade the plugin in Logstash if required by following the command in the above git issue.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.