Logstash/Filebeat is periodically hanging (unresponsive)

user2416 · February 4, 2021, 6:09am

Hi,

We are using filebeat as a deamonset on kubernetes nodes to collect all application logs and sending them to logstash and then to elasticsearch.
we observe that logs stops working/hangs periodically from some specific service which generates huge logs. Like either filebeat hangs on sending logs from some services to logstash or logstash hangs and stops receiving logs from some filebeat pods. It is hard to identify at which layer we are seeing issue as I dont see any suspicious errors in logstash even in debug mode. And I see below logs from filebeat.
To resolve this issue either we have to restart filebeat or logstash. I tried scaling logstash by doubling the number of logstash pods and also doubling memory and heap size but still seeing the same issue.
This is happening at-least once a day. Can someone please help me identify whats the issue

filebeat and logstash version - 7.9.3

2021-02-03T18:09:59.087Z	ERROR	[logstash]	logstash/async.go:280	Failed to publish events caused by: read tcp ip:50294->ip:5044: i/o timeout
2021-02-03T18:09:59.087Z	ERROR	[logstash]	logstash/async.go:280	Failed to publish events caused by: read tcp ip:50294->ip:5044: i/o timeout
2021-02-03T22:05:02.487Z	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(async(tcp://logstash-logstash:5044)): dial tcp ip:5044: i/o timeout
2021-02-03T22:05:03.713Z	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(async(tcp://logstash-logstash:5044)): dial tcp ip:5044: i/o timeout
20

user2416 · February 5, 2021, 7:09am

here are the debug logs I see on logstash, It seems pipeline is blocked or something but I don't see any issues regarding pipeline failure. But logstash hangs there and is not working until manually restarted

and we have 8 logstash pods running as a logstash service and out of 8 only 1 logstash pod is having this issue but not sure why some filebeat pods sticks to that logstash pod and keep waiting for it to ack instead of opening connection with another logstash pod.

Does filebeat open sticky sessions with logstash? why filebeat is waiting in infinite loop for logstash to ack?

to resolve this either I have to restart logstash pod or filebeat pod and this is happening almost everyday.

[2021-02-05T07:05:50,780][DEBUG][org.logstash.beats.ConnectionHandler][main] 884460aa: batches pending: true
[2021-02-05T07:05:53,405][DEBUG][org.logstash.beats.ConnectionHandler][main] 4f6b0df8: reader and writer are idle, closing remote connection
[2021-02-05T07:05:53,475][DEBUG][org.logstash.beats.ConnectionHandler][main] 17aaab9e: batches pending: true
[2021-02-05T07:05:54,110][DEBUG][org.logstash.beats.ConnectionHandler][main] 8cff884d: batches pending: true
[2021-02-05T07:06:15,369][DEBUG][org.logstash.beats.ConnectionHandler][main] babac4ef: batches pending: true
[2021-02-05T07:06:21,704][DEBUG][org.logstash.beats.ConnectionHandler][main] b8f4c8f7: batches pending: true
[2021-02-05T07:06:28,794][DEBUG][org.logstash.beats.ConnectionHandler][main] a37e2da3: batches pending: true
[2021-02-05T07:06:29,834][DEBUG][org.logstash.beats.ConnectionHandler][main] 455c7c87: batches pending: true
[2021-02-05T07:06:29,834][DEBUG][org.logstash.beats.ConnectionHandler][main] 455c7c87: batches pending: true
[2021-02-05T07:06:30,794][DEBUG][org.logstash.beats.ConnectionHandler][main] a895e7d3: batches pending: true
[2021-02-05T07:06:36,704][DEBUG][org.logstash.beats.ConnectionHandler][main] b8f4c8f7: batches pending: true
[2021-02-05T07:06:38,476][DEBUG][org.logstash.beats.ConnectionHandler][main] 17aaab9e: batches pending: true
[2021-02-05T07:06:42,113][DEBUG][org.logstash.beats.ConnectionHandler][main] 8cff884d: batches pending: true
[2021-02-05T07:06:50,779][DEBUG][org.logstash.beats.ConnectionHandler][main] b5569bb1: reader and writer are idle, closing remote connection
[2021-02-05T07:06:50,779][DEBUG][org.logstash.beats.ConnectionHandler][main] 6997090c: reader and writer are idle, closing remote connection

here is my filebeat logstash output config. I set loadbalancing true

    output.logstash:
        hosts:
        - logstash-logstash:5044
        loadbalance: true
        compression_level: 3
        worker: 8
        bulk_max_size: 4096
        pipelining: 4

user2416 · February 8, 2021, 6:15am

can anyone please help?

user2416 · February 9, 2021, 5:39pm

@Badger any thoughts on this issue? logstash hangs without any error, debug logs only show below info

[2021-02-05T07:06:36,704][DEBUG][org.logstash.beats.ConnectionHandler][main] b8f4c8f7: batches pending: true
[2021-02-05T07:06:38,476][DEBUG][org.logstash.beats.ConnectionHandler][main] 17aaab9e: batches pending: true
[2021-02-05T07:06:42,113][DEBUG][org.logstash.beats.ConnectionHandler][main] 8cff884d: batches pending: true

system · March 9, 2021, 5:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash is periodically hanging (unresponsive) and not sending anything to ES. How to recognize and fix? Logstash	1	279	January 13, 2021
Logstash hangs with no error Logstash docker	1	570	March 25, 2021
Filebeat :- Failed to publish events caused by: client is not connected Beats filebeat	9	19564	March 19, 2020
Filebeat Error Failed to publish events write tcp Beats filebeat	2	4465	November 20, 2019
ERROR logstash/async.go:256 Failed to publish events caused by: write tcp 10.XXX.XX.XX:43522->10.XXX.XX.XX:5044: i/o timeout 2019-08-06T16:04:30.967+0800 ERROR pipeline/output.go:121 Failed to publish events:IOtimeout Beats filebeat	3	2121	September 9, 2019

Logstash/Filebeat is periodically hanging (unresponsive)

Related Topics