Logstash 0f 8.15.2 is not connecting with elasticsearch of 8.15.2

vikascateina · October 18, 2024, 4:40am

Hi, I am facing an issue with lntegration of logstash 8.15.2 with elasticsearch8.15.2.
Logstash is failing to connect to Elasticsearch. The logs show the following errors:

EDITED By MOD. Please Format your Code in the future using 3 ``` before and after your code

[2024-10-17T13:24:43,507][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://elasticsearch:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://elasticsearch:9200/][Manticore::SocketException] Connect to elasticsearch:9200 [elasticsearch/172.20.0.2] failed: Connection refused"}
[2024-10-17T13:24:48,561][WARN ][logstash.outputs.elasticsearch][main] Health check failed {:code=>401, :url=>http://elasticsearch:9200/, :message=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/'"}

Even though the correct username and password were set in the logstash.yml file, these values are being replaced by placeholders upon restarting the container:

xpack.monitoring.elasticsearch.password: ${xpack.monitoring.elasticsearch.password}
xpack.monitoring.elasticsearch.username: ${xpack.monitoring.elasticsearch.username}

My docker-compose file is below:

version: '3' 
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.2
    container_name: elasticsearch
    hostname: elasticsearch
    environment:
      - xpack.security.enabled=true
      - discovery.type=single-node
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - ELASTIC_PASSWORD=qwerty
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - elastic_data:/usr/share/elasticsearch/data/
    ports:
      - 9200:9200
    networks:
      - elk-network
  logstash:
    image: docker.elastic.co/logstash/logstash:8.15.2
    container_name: logstash
    hostname: logstash
    environment:
      - xpack.monitoring.elasticsearch.username=elastic
      - xpack.monitoring.elasticsearch.password=qwerty
    volumes:
      - ./logstash/logstash.conf:/usr/share/logstash/pipeline/logstash.conf
      - ./logstash/logstash.yml:/usr/share/logstash/config/logstash.yml
    command: logstash -f /usr/share/logstash/pipeline/logstash.conf
    depends_on:
      - elasticsearch
    ports:
      - '9600:9600'
      - '4560:4560'
    environment:
      - LS_JAVA_OPTS=-Xms1g -Xmx1g
      - xpack.monitoring.elasticsearch.username=elastic
      - xpack.monitoring.elasticsearch.password=qwerty
    networks:
      - elk-network
  kibana:
    container_name: kibana
    image: docker.elastic.co/kibana/kibana:8.15.2
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=kibana_system          # Username for Kibana to connect to Elasticsearch
      - ELASTICSEARCH_PASSWORD=qwerty
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch
    networks:
      - elk-network
volumes:
  elastic_data: {}
networks:
   elk-network:
my logstash.conf file is below
input {
  tcp {
    port => 4560
    codec => json
  }
}
filter {
  date {
    match => [ "timeMillis", "UNIX_MS" ]
  }
  json {
    source => "message"
    target => "response"
  }
}
output {
  elasticsearch {
    hosts => [ "http://elasticsearch:9200" ]
    index => "%{[application_id]}-%{[environment]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "qwerty"
  }
}

my logstash.yml is below:

http.host: 0.0.0.0
xpack.monitoring.elasticsearch.hosts:- http://elasticsearch:9200
xpack.monitoring.elasticsearch.password:qwerty
xpack.monitoring.elasticsearch.username:elastic

Could someone assist with this? It would be greatly appreciated.

ashishtiwari1993 · October 18, 2024, 7:44am

Could you check whether ES container is reachable using CURL ?
Also i think ES running securely (on https). You've specified http.
Do you see any error in Elasticsearch log?

Is that same setup was working before upgrading?

vikascateina · October 21, 2024, 3:42am

Hi,
Yes it was working with 7.17.9 version and there is no error in elasticsearch.

stephenb · October 21, 2024, 4:19am

Elastic 8.X enabled HTTPS / TLS by default on the HTTP endpoint and the Transport Endpoint it also Set up Authentication.

so your logstash will not connect over HTTP (only HTTPS)

You can set SSL ssl_verification_mode

Or you can get the CA and configure the setting

If you do not want HTTPS

if you want NO security then your compose should look something like this

---
# version: '2.26.0'
services:
  elasticsearch:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch:${TAG}
    # 8.x
    environment: ['ES_JAVA_OPTS=-Xms8g -Xmx8g','bootstrap.memory_lock=true','discovery.type=single-node','xpack.security.enabled=false', 'xpack.security.enrollment.enabled=false']
    ports:
      - 9200:9200
    networks:
      - elastic
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    deploy:    
      resources:
          limits:
            cpus: '2.0'
          reservations:
            cpus: '1.0'

  kibana:
    image: docker.elastic.co/kibana/kibana:${TAG}
    container_name: kib01
    environment:
      XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: d1a66dfd-c4d3-4a0a-8290-2abcb83ab3aa
      # LOGGING_ROOT_LEVEL: debug
    ports:
      - 5601:5601
    networks:
      - elastic
    deploy:    
      resources:
          limits:
            cpus: '2.0'
          reservations:
            cpus: '1.0'

networks:
  elastic:

If you want security you should look at this... you should read these docs either way