logstash can no longer write to elasticsearch

Elastic Stack Elasticsearch
1

Hello,
I'm new to this platform and I need your help for my ELK stack
Indeed logstash has not been able to write to elasticsearch for a while
below is my logstash/conf.d flow management configuration
<
input {
tcp {
port => 5144
type => syslog
}
udp {
port => 5144
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {

if [type] == "syslog" {
elasticsearch { hosts => ["172.22.20.190:9200", "172.22.20.191:9200"] index => "netapp-%{+YYYY.MM.dd}" }
stdout { codec => rubydebug }
}
}
/>
However when I restart logstash the below errors in logstash-plain.log file
<

[2023-09-04T13:14:39,798][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://172.22.20.190:9200/"}

[2023-09-04T13:14:39,808][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (7.17.4) {:es_version=>7}

[2023-09-04T13:14:39,810][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>7}

[2023-09-04T13:14:39,860][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://172.22.20.191:9200/"}

[2023-09-04T13:14:39,958][INFO ][logstash.outputs.elasticsearch][main] Config is not compliant with data streams. data_stream => auto resolved to false

[2023-09-04T13:14:40,009][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>7, :ecs_compatibility=>:disabled}

/>
And I have another file (logstash-deprecation.log) with the error below:
<

[2023-09-04T13:14:41,503][WARN ][deprecation.logstash.codecs.plain][main][941e8458b1648478d146bdf3375031ae2f2d2499b916047d2511464488cb2041] Relying on default value of pipeline.ecs_compatibility, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.

/>

Please can you help me to understand and solve the problem?
THANKS.
Best regards.

2

Hi @TaF,

Welcome to the community! Which version of Logstash are you using? It looks like you are using Elasticsearch 7.17.4.

Are there any errors in the log on the Elasticsearch side?

3

Hello,
Thank you for your help indeed it is this version of logstash that I use
In the log file (elastic_deprecation.log) I have this.

2023-07-09T11:08:45,735][CRITICAL][o.e.d.r.a.d.RestIndexAction] [mcq-elk51.cgi.credit-cgi.fr] [] [types removal] Specifying types in document index requests is deprecated, use the typeless endpoints instead (/{index}/_doc/{id}, /{index}/_doc, or /{index}/_create/{id}).
[2023-07-25T12:21:24,011][CRITICAL][o.e.d.r.a.a.i.RestCloseIndexAction] [mcq-elk51.cgi.credit-cgi.fr] [] the default value for the ?wait_for_active_shards parameter will change from '0' to 'index-setting' in version 8; specify '?wait_for_active_shards=index-setting' to adopt the future default behaviour, or '?wait_for_active_shards=0' to preserve today's behaviour

thanks

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.