Logstash 2.2.0 > elasticsearch output connectivity issue

I have filebeat,logstash 2.2.0, ES 2.1.0 working in dev.

Strange connectivity issue when moving to prod:

• ES cluster behind an elb (aws vpc), no TLS
• "curl prod-elb-xxx:9200"
  works from my logstash box (in datacenter), returns "cluster_name" etc
  I can do curl -XPUT a new doc, as well
• On logstash startup, it can't connect to ES & pipeline stalls
• Since curl works, I can't imagine any other issue with acl or securityGroups
• config & error log below.

Any Clues, appreciated !

output config
output {

    elasticsearch {
        hosts => ["prod-elb-xxx:9200"]
        sniffing => true
        manage_template => false
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        document_type => "%{[@metadata][type]}"
    }
}

Error in log
{:timestamp=>"2016-02-10T16:02:56.814000-0500", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://prod-elb-xxx:9200/"]', but an error occurred and it failed! Are you sure you can reach elasticsearch from this machine using the configuration provided?", :client_config=>{:hosts=>["http://prod-elb-xxx:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :error_message=>"connect timed out", :error_class=>"Manticore::ConnectTimeout", :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:37:in initialize'", "org/jruby/RubyProc.java:281:incall'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:79:in call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:256:in ..... java/lib/logstash/pipeline.rb:206:inworker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:175:in `start_workers'"], :level=>:error}

{:timestamp=>"2016-02-10T16:02:56.820000-0500", :message=>"connect timed out", :class=>"Manticore::ConnectTimeout", :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:37:in `initialize'", "org/jruby/RubyProc.java:281:in `call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:79:in `call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:256:in `call_once'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:153:in `code'", ...  "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:84:in `retrying_submit'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:28:in `multi_receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/output_delegator.rb:119:in `worker_multi_receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/output_delegator.rb:65:in `multi_receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:275:in `output_batch'", "org/jruby/RubyHash.java:1342:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:275:in `output_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:206:in `worker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:175:in `start_workers'"], :level=>:warn}

Similar issue here with LogStash 2.2.0, against admittedly older ElasticSearch 1.7.1 - but behind an AWS ELB, with telnet/curl working fine to ElasticSearch (and no issues seen like this with Logstash 1.5.2 or 1.5.4 for months:

{:timestamp=>"2016-02-11T08:04:03.580000+0000", :message=>"elasticsearch-logsink.u_xxxxx_.com:9200 failed to respond", :class=>"Manticore::ClientProtocolException", :backtrace=>["/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:37:in initialize'", "org/jruby/RubyProc.java:281:incall'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:79:in call'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:256:incall_once'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/manticore-0.5.2-java/lib/manticore/response.rb:153:in code'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/http/manticore.rb:71:inperform_request'", "org/jruby/RubyProc.java:281:in call'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/base.rb:201:inperform_request'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/transport/http/manticore.rb:54:in perform_request'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.15/lib/elasticsearch/transport/client.rb:125:inperform_request'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/elasticsearch-api-1.0.15/lib/elasticsearch/api/actions/bulk.rb:87:in bulk'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/http_client.rb:53:innon_threadsafe_bulk'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/http_client.rb:38:in bulk'", "org/jruby/ext/thread/Mutex.java:149:insynchronize'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/http_client.rb:38:in bulk'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:160:insafe_bulk'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:99:in submit'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:84:inretrying_submit'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.4.1-java/lib/logstash/outputs/elasticsearch/common.rb:28:in multi_receive'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/output_delegator.rb:119:inworker_multi_receive'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/output_delegator.rb:118:in worker_multi_receive'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/output_delegator.rb:65:inmulti_receive'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:275:in output_batch'", "org/jruby/RubyHash.java:1342:ineach'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:275:in output_batch'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:206:inworker_loop'", "/usr/local/NTR/logstash-2.2.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.0-java/lib/logstash/pipeline.rb:175:in `start_workers'"], :level=>:warn}

This is running in a Docker 1.8 container, and after this message, the container exists (exit code 137).

Also, if I use filebeat's elasticsearch output directly , skipping logstash, to the same url for elasticsearch server , it is working. I am ruling out network issue.

If you are accessing Elasticsearch through a loed balancer, you will not be able to connect directly to the nodes, so sniffing should not be enabled.

That's it. Thanks a bunch. Wish error in log implied that.