Logstash and frozen index

Elastic Stack Logstash
1

Hi,
Last week, I froze old indexes (over a month). Everything worked and elasticsearch was faster. But since monday we have this error in loop in Logstash:

[2020-11-24T15:29:42,146][INFO ][logstash.outputs.elasticsearch][beat][b3794bbce4619b8fac89bacc6a147632a21dd948445953c7961c6c4986ea2a65] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"index [filebeat-redis-2020.34] blocked by: [FORBIDDEN/8/index write (api)];"})

There are no new logs. I understand that logstash is trying to create a new index since the index pattern is weekly, but I don't understand why it is trying to modify the old indexes.

Of course, I fix this by unfreezing the indexes. But I don't understand why. Is the freeze indexes a good practices? Is there a way to use logstash and frozen indexes?

edit: I use elasticsearch, logstash and kibana in version 7.9.2

Thanks

2

Welcome to our community! :smiley:

Are you using weekly indices?
It could be that Logstash thinks it has an event from that week that it needs to index it.

3

Yes, we use weekly indices. When does logstash decide to log to an old index?

4

I'm doing more testing and I'm pretty sure it's not old logs in old indexes.

5

What does your Logstash config look like?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.