We used to let Logstash open indices if needed, this is no longer needed due to auto pre-creating of all the needed indices.
Right now we removed the permissions to create indeces of the Logstash, this worked for a while.
Sometimes we are getting old logs\ logs with old @timestamp field, which Logstash is trying to create a new index for.
The amount of 403 forbidden and it's retries eventually takes Logstash down.
I couldn't find any solution for this situation, is there a way to stop retry if i'm getting 403 from elastic?
The only solution i found require parsing of the timestamp and drop events that are older then a certain amount of days.
If someone have a better solution for this it will great.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.