Logstash -> Elastic Timeouts

6igwig · August 23, 2022, 1:57pm

I have 2 logstash nodes with about 30 different pipelines sending data to a 6 node elastic cluster. For about half of my pipelines I am seeing a ton of errors like this in the /var/log/logstash/pipeline_mypipeline.log files:

[WARN ][logstash.outputs.elasticsearch] Marking url as dead. Last error: [LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError] Elasticsearch Unreachable: [https://node1.mynetwork.com:9200/_bulk][Manticore::SocketTimeout] Read timed out and [ERROR][logstash.outputs.elasticsearch] Attempted to send a bulk request but Elasticsearch appears to be unreachable or down {:message=>"Elasticsearch Unreachable: [https://node1.mynetwork.com:9200/_bulk][Manticore::SocketTimeout] Read timed out"

My data is ingesting fine. I suppose once a node times out then logstash moves on to another one, but I would like to handle these messages. Some are labeled as "WARN" and others are "ERROR". I see the elasticsearch output has a timeout parameter. Bumping that up to 2 minutes instead of 1 might do the trick but that seems more like avoiding the problem instead of handling it.

I have a monitoring cluster set up. My cluster health is green, every node has plenty of free space, cpu is around 20%... For the logstash nodes their CPU is low (5%), JVM heap averages around 6.1GB out of 7.9GB.

What should I look at to address timeout warnings / errors like these?

cheshirecat · August 23, 2022, 2:31pm

Hello,
Could you please paste your elastic output from logstash conf file?

6igwig · August 23, 2022, 4:52pm

output {
    elasticsearch {
        hosts => ["https://node1.mynetwork.com:9200", "https://node2.mynetwork.com:9200", ...]
        manage_template => false
        index => "%{[@metadata][target_index]}"
        pipeline => "xdr-all"
        user => "${xdr_user}"
        password => "${xdr_password}"
        document_id => "%{log.fingerprint}"
        ssl => true
        cacert => '/etc/certificates/logstash/my-cert.pem'
        data_stream => "false"
    }
}

sudhagar_ramesh · August 25, 2022, 4:01am

Hello @6igwig

The log clearly shows that the below host is unreachable, could you check whether the node is up or not?

https://node1.mynetwork.com:9200

6igwig · August 25, 2022, 4:00pm

The node is up

cheshirecat · August 26, 2022, 7:17am

Maybe node is up but how about FW?

system · September 23, 2022, 7:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting error in logstash Logstash	4	216	June 27, 2023
Logstash.outputs.elasticsearch Marking url as dead. connection issue. AWS EBS datastore Logstash	9	2810	July 31, 2019
[WARN ][logstash.outputs.elasticsearch][main] Marking url as dead Logstash	3	2540	January 3, 2021
Attempted to send a bulk request to elasticsearch' but Elasticsearch appears to be unreachable or down! Elasticsearch	2	1861	December 8, 2017
Elasticsearch - Attempted to send a bulk request to elasticsearch' but Elasticsearch appears to be unreachable or down! Logstash	1	822	February 10, 2022

Logstash -> Elastic Timeouts

Related Topics