Important delay in the appearance of logs in Kibana

vdsm · March 3, 2017, 3:34pm

Hi everyone,
I see a problem about my ELK stack currently in pre-production, and I do not understand where it comes from ...
When I view the logs in Kibana, these are systematically between 25 and 40 minutes behind the T time. for exemple, when I am watching logs in Kibana at 16H, I seen logs happend 30 minutes ago.

I had no time lag during my tries that had not a lot of logs, unlike my server that stores a lot of logs
More (+/- 2 million per week) which makes me think that there is a bottleneck somewhere, especially since my VM on which my ELK runs is slightly undersized relative to the volume of data to be processed.

Nevertheless, I have big doubts about Logstash because I can get logs in live on Kibana when I restart the Logstash service.
However, the offset is recreated little by little up to 40 minutes max, and the most constraining is that all these logs that I did not see in live In Kibana are lost when restarting the LS service!

I saw that there were "queue" solutions like Redis, would the setting up of such a server between LS and elasticsearch could resolve my problem ? Knowing that the goal is to have live logs in Kibana ...

Is someone see what can be my problem ?
Thanks.

warkolm · March 5, 2017, 9:47pm

How are logs being sent to Logstash?

vdsm · March 5, 2017, 10:08pm

Logs are sent from à rsyslog server with udp protocol

warkolm · March 5, 2017, 11:41pm

Given it's UDP it's either a timezone difference, or a delay in rsyslog.

LS won't hold onto things for 30 minutes like this.

vdsm · March 6, 2017, 12:13am

I thinks about that, but the delay is not always the same, it can be from 20 to 35 minutes, and rsyslog is correctly setting for the timezone. But I m asking if LS use the same timezone than the host machine ?

warkolm · March 6, 2017, 12:19am

Yes it does.

vdsm · March 6, 2017, 8:47am

Well, I'm looking for issues in timezone settings, and effectively /etc/timezone give me wrong timezone. I changed it for the good one, now, Rsyslog and ELK server have the same timezone. I rebooting the server after that.
After all services started, logs arrived at time but after few minutes, delay is starting again gradually until about +/- 30 minutes ...

vdsm · March 9, 2017, 8:08am

Is anyone else got an idea ?
Thanks

system · April 6, 2017, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Huge 4 minute delay after adding a document and it showing up in Kibana Kibana	2	1336	May 30, 2017
Staggered Logging in ELK Stack Elasticsearch	8	1154	July 5, 2017
Delay in receiving inputs Elasticsearch	3	742	July 5, 2017
Huge 4 minute delay between adding a document and it showing up in Kibana Elasticsearch	5	2328	May 30, 2017
Data and time in Kibana / ES Logstash	13	1003	October 20, 2018

Important delay in the appearance of logs in Kibana

Related topics