Logstash and frozen index

mcantin · November 25, 2020, 3:26am

Hi,
Last week, I froze old indexes (over a month). Everything worked and elasticsearch was faster. But since monday we have this error in loop in Logstash:

[2020-11-24T15:29:42,146][INFO ][logstash.outputs.elasticsearch][beat][b3794bbce4619b8fac89bacc6a147632a21dd948445953c7961c6c4986ea2a65] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"index [filebeat-redis-2020.34] blocked by: [FORBIDDEN/8/index write (api)];"})

There are no new logs. I understand that logstash is trying to create a new index since the index pattern is weekly, but I don't understand why it is trying to modify the old indexes.

Of course, I fix this by unfreezing the indexes. But I don't understand why. Is the freeze indexes a good practices? Is there a way to use logstash and frozen indexes?

edit: I use elasticsearch, logstash and kibana in version 7.9.2

Thanks

warkolm · November 25, 2020, 5:20am

Welcome to our community!

Are you using weekly indices?
It could be that Logstash thinks it has an event from that week that it needs to index it.

mcantin · November 25, 2020, 2:57pm

Yes, we use weekly indices. When does logstash decide to log to an old index?

mcantin · November 26, 2020, 5:01pm

I'm doing more testing and I'm pretty sure it's not old logs in old indexes.

warkolm · November 30, 2020, 4:23am

What does your Logstash config look like?

system · December 28, 2020, 4:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash pipeline blocks every write if one index isn't available Logstash	1	228	July 6, 2020
Logstash error trying to index filebeat Logstash	2	311	December 10, 2020
Old logs? Logstash	7	2438	January 23, 2018
Clearing FORBIDDEN/8/index write (api) blocked bulk actions Logstash	1	1016	June 30, 2020
Logstash stops processing after forbidden index write Logstash	2	345	March 4, 2020

Logstash and frozen index

Related Topics