First test is default installation of logstash 5.6.2 on Amazon Linux via the RPM repo.
logstash.yml
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d
path.logs: /var/log/logstash
**DLQ is set to whatever the default is? false?. **
Config is what I posted above. Filebeat input Elasticsearch Output.
After about 10 minutes I start getting the sanitize error
[2017-09-26T16:45:23,521][ERROR][logstash.outputs.elasticsearch] Encountered an unexpected error submitting a bulk request! Will retry. {:error_message=>"undefined method
sanitized' for "http://localhost:9200/_bulk":String", :class=>"NoMethodError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/common.rb:249:in safe_bulk'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/common.rb:222:in
safe_bulk'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/common.rb:119:in submit'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/common.rb:87:in
retrying_submit'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/common.rb:38:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/shared.rb:13:in
multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:49:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:436:in
output_batch'", "org/jruby/RubyHash.java:1342:in each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:435:in
output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:381:in worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in
start_workers'"]}`
Stopping logstash and updating all plugins to latest.
Updated logstash-input-dead_letter_queue 1.1.0 to 1.1.1
Updated logstash-input-elasticsearch 4.0.5 to 4.0.6
Updated logstash-input-http_poller 3.3.3 to 3.3.4
Updated logstash-output-elasticsearch 7.4.0 to 7.4.2
Starting logstash another ~10mins or less I get:
[2017-09-26T16:57:17,652][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>"http://localhost:9200/_bulk"} [2017-09-26T16:57:22,364][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>"http://localhost:9200/_bulk"}
Enabling DLQ and adding an output for it.
mkdir -p /opt/logstash/data/dead_letter_queue
Editing logstash.yml with DLQ:
dead_letter_queue.enable: true
path.dead_letter_queue: /opt/logstash/data/dead_letter_queue
Added the input and output as stated above. Started logstash:
[2017-09-26T17:09:43,309][INFO ][logstash.outputs.file ] Opening file {:path=>"/var/log/logstash/dlq-output"}
[2017-09-26T17:10:02,329][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>"http://localhost:9200/_bulk"}
[2017-09-26T17:10:05,006][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>400, :url=>"http://localhost:9200/_bulk"}
Checking /var/log/logstash/dlq-output I see some lines like:
{"request":["/api/v1/program_memberships/123456","/api/v1/program_memberships/123456"],"os_lib":"mobo","agent":["mobo/3.2.3 (iPhone; iOS 10.3.3; Scale/3.00)","\"mobo/3.2.3 (iPhone; iOS 10.3.3; Scale/3.00)\""],"role":"web","app_version":"3.2.3","auth":["-","-"],"ident":["-","-"],"os_minor":"3","os_major":"10","app_patch":"3","source":"/var/log/nginx/server.log","type":"server-nginx","@hostname":"server","log_type":"nginx","clientip":["1.2.3.4","1.2.3.4"],"@version":"1","timestamp":["26/Sep/2017:16:58:12 +0000","26/Sep/2017:16:58:12 +0000"],"product":"server","geoip":{"timezone":"America/New_York","ip":"1.2.3.4","latitude":35.1137,"continent_code":"NA","city_name":"Indian Trail","country_name":"United States","country_code2":"US","dma_code":517,"country_code3":"US","region_name":"North Carolina","location":{"lon":-80.6083,"lat":35.1137},"postal_code":"28079","region_code":"NC","longitude":-80.6083},"os":"iOS","verb":["GET","GET"],"team":"undef","message":"174.193.150.139 - - [26/Sep/2017:16:58:12 +0000] \"GET /api/v1/program_memberships/123456 HTTP/1.1\" 200 2846 \"-\" \"mobo/3.2.3 (iPhone; iOS 10.3.3; Scale/3.00)\"","app_major":"3","app_minor":"2","tags":["_geoip_lookup_failure","dlq"],"os_branch":"3","environment":"production","device_scale":"3.00","@timestamp":"2017-09-26T17:05:54.914Z","build":"","bytes":["2846","2846"],"name":"Mobile Safari UI/WKWebView","request_path":["/api/v1/program_memberships/123456","/api/v1/program_memberships/123456","/api/v1/program_memberships/123456"],"os_name":"iOS","httpversion":["1.1","1.1"],"device":"iPhone","status":["200","200"]}
Logstash is now giving the retryable error message over and over and no longer processing any new messages.