Logstash filter plugin fingerprint failing from unknown reason

pastechecker · August 28, 2018, 2:50pm

Hello,
since a few days I am trying to solve a problem of failing logstash.
I am downloading ip database using http_poller. It is approximately 30k IP addresses.
I want to change the _id field using fingerprint filter plugin (it works well). However, it crashes from unknown reason. If I am in normal logstash mode I am able to load approximately 2000 messages, but when I am in full debug mode I am getting like 28k. Please see the configuration below.

config file:

input {
http_poller {
urls => {
blocklist_de_all => "http://lists.blocklist.de/lists/all.txt"
}
request_timeout => 30
tags => ["blocklist"]
codec => "line"
validate_after_inactivity => 200
schedule => { cron => "*/30 * * * *" }
metadata_target => "feed_metadata"
}
}

filter {
split {
field => "[message]"
}
if ([message] =~ /^#/) {
drop{}
}
else {
grok {
match => { "message" => "^%{GREEDYDATA:ipv4address}" }
}
}
geoip {
source => "ipv4address"
add_tag => [ "ipv4enriched" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
fingerprint {
      id => "blocklist1"
            source => [ "ipv4address" ]
            method => [ "SHA512" ]
            add_tag => [ "fingerprinted" ]
}
}

output {
elasticsearch {
hosts => ["10.0.50.51:9200"]
index => "ipv4_to_block"
document_id => "%{fingerprint}"
document_type => "default"
}
}

pipeline config:

pipeline.id: blocklist_ips
path.config: "/etc/logstash/conf.d/blocklist_de_all_low_confidence.conf"
pipeline.workers: 16

I am getting what I want in Elasticsearch (output from Kibana):

{
"_index": "ipv4_to_block",
"_type": "default",
"_id": "1eda4277c8b054652a08b0f56f26656babbe8328",
"_version": 1,
"_score": 1,
"_source": {
"fingerprint": "1eda4277c8b054652a08b0f56f26656babbe8328",
"@version": "1",
"metadata": {
"host": "elk2",
"name": "blocklist_de_all",
"request": {
"method": "get",
"url": "http://lists.blocklist.de/lists/all.txt"
},
"code": 200,
"response_message": "OK",
"runtime_seconds": 0.115168,
"times_retried": 0,
"response_headers": {
"connection": "keep-alive",
"content-type": "text/plain; charset=UTF-8",
"transfer-encoding": "chunked",
"date": "Tue, 28 Aug 2018 14:16:55 GMT",
"last-modified": "Tue, 28 Aug 2018 14:14:10 GMT",
"cache-control": "public",
"x-frame-options": "sameorigin",
"keep-alive": "timeout=20",
"server": "nginx/1.12.2",
"etag": "W/"6550b-5747f74a5da2f""
}
},
"tags": [
"blocklist",
"_geoip_lookup_failure",
"fingerprinted"
],
"ipv4address": "103.115.180.188",
"@timestamp": "2018-08-28T14:21:00.411Z",
"message": "103.115.180.188",
"geoip": {}
},
"fields": {
"@timestamp": [
"2018-08-28T14:21:00.411Z"
]
}
}

Configured logstash in debug mode:

curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
"logger.logstash.agent" : "DEBUG",
"logger.logstash.api.service" : "DEBUG",
"logger.logstash.codecs.json" : "DEBUG",
"logger.logstash.codecs.line" : "DEBUG",
"logger.logstash.codecs.plain" : "DEBUG",
"logger.logstash.config.source.local.configpathloader" : "DEBUG",
"logger.logstash.config.source.multilocal" : "DEBUG",
"logger.logstash.config.sourceloader" : "DEBUG",
"logger.logstash.configmanagement.extension" : "DEBUG",
"logger.logstash.filters.drop" : "DEBUG",
"logger.logstash.filters.grok" : "DEBUG",
"logger.logstash.filters.split" : "DEBUG",
"logger.logstash.inputs.http_poller" : "DEBUG",
"logger.logstash.instrument.periodicpoller.deadletterqueue" : "DEBUG",
"logger.logstash.instrument.periodicpoller.jvm" : "INFO",
"logger.logstash.instrument.periodicpoller.os" : "DEBUG",
"logger.logstash.instrument.periodicpoller.persistentqueue" : "DEBUG",
"logger.logstash.modules.scaffold" : "DEBUG",
"logger.logstash.modules.xpackscaffold" : "DEBUG",
"logger.logstash.monitoringextension" : "DEBUG",
"logger.logstash.monitoringextension.pipelineregisterhook" : "DEBUG",
"logger.logstash.outputs.elasticsearch" : "DEBUG",
"logger.logstash.outputs.file" : "DEBUG",
"logger.logstash.pipeline" : "INFO",
"logger.logstash.plugins.registry" : "DEBUG",
"logger.logstash.runner" : "DEBUG",
"logger.org.logstash.Logstash" : "DEBUG",
"logger.org.logstash.common.DeadLetterQueueFactory" : "DEBUG",
"logger.org.logstash.common.io.DeadLetterQueueWriter" : "DEBUG",
"logger.org.logstash.config.ir.CompiledPipeline" : "DEBUG",
"logger.org.logstash.instrument.metrics.gauge.LazyDelegatingGauge" : "DEBUG",
"logger.org.logstash.plugins.pipeline.PipelineBus" : "DEBUG",
"logger.org.logstash.secret.store.SecretStoreFactory" : "DEBUG",
"logger.slowlog.logstash.codecs.json" : "DEBUG",
"logger.slowlog.logstash.aodecs.line" : "DEBUG",
"logger.slowlog.logstash.codecs.plain" : "DEBUG",
"logger.slowlog.logstash.filters.drop" : "DEBUG",
"logger.slowlog.logstash.filters.grok" : "DEBUG",
"logger.slowlog.logstash.filters.split" : "DEBUG",
"logger.slowlog.logstash.inputs.http_poller" : "DEBUG",
"logger.slowlog.logstash.outputs.elasticsearch" : "DEBUG",
"logger.slowlog.logstash.outputs.file" : "DEBUG"
}
'

Why the logstash loads less data if not being in full debug mode?
Why this configuration fails anyway?
Is it because it cannot handle the load of hashing 30k or failing on the local ip database lookup?

Thank you for the help in advance.

pastechecker · August 28, 2018, 2:51pm

The error I get is:

[2018-08-28T16:24:01,488][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"blocklist_ips", "exception"=>"8", "backtrace"=>["org.bouncycastle.crypto.digests.LongDigest.update(Unknown Source)", "org.bouncycastle.crypto.digests.LongDigest.finish(Unknown Source)", "org.bouncycastle.crypto.digests.SHA512Digest.doFinal(Unknown Source)", "org.bouncycastle.jcajce.provider.digest.BCMessageDigest.engineDigest(Unknown Source)", "java.security.MessageDigest.digest(MessageDigest.java:365)", "org.jruby.ext.openssl.Digest.finish(Digest.java:204)", "org.jruby.ext.openssl.Digest$INVOKER$i$0$0$finish.call(Digest$INVOKER$i$0$0$finish.gen)", "org.jruby.RubyClass.finvoke(RubyClass.java:557)", "org.jruby.runtime.Helpers.invoke(Helpers.java:399)", "org.jruby.RubyBasicObject.callMethod(RubyBasicObject.java:354)", "org.jruby.ext.digest.RubyDigest$DigestInstance.digest(RubyDigest.java:320)", "org.jruby.ext.digest.RubyDigest$DigestInstance.hexdigest(RubyDigest.java:339)", "org.jruby.ext.digest.RubyDigest$DigestInstance$INVOKER$s$0$1$hexdigest.call(RubyDigest$DigestInstance$INVOKER$s$0$1$hexdigest.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:721)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:200)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:161)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:73)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:83)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:179)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:165)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:200)", "org.jruby.internal.runtime.methods.AliasMethod.call(AliasMethod.java:61)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_fingerprint_minus_3_dot_2_dot_0.lib.logstash.filters.fingerprint.RUBY$block$filter$4(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-fingerprint-3.2.0/lib/logstash/filters/fingerprint.rb:140)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:156)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:114)", "org.jruby.runtime.Block.yield(Block.java:165)", "org.jruby.RubyArray.each(RubyArray.java:1734)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_fingerprint_minus_3_dot_2_dot_0.lib.logstash.filters.fingerprint.RUBY$method$filter$0(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-fingerprint-3.2.0/lib/logstash/filters/fingerprint.rb:135)", "usr.share.logstash.logstash_minus_core.lib.logstash.filters.base.RUBY$method$do_filter$0(/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:143)", "usr.share.logstash.logstash_minus_core.lib.logstash.filters.base.RUBY$block$multi_filter$1(/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:162)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:156)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:114)", "org.jruby.runtime.Block.yield(Block.java:165)", "org.jruby.RubyArray.each(RubyArray.java:1734)", "usr.share.logstash.logstash_minus_core.lib.logstash.filters.base.RUBY$method$multi_filter$0(/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159)", "usr.share.logstash.logstash_minus_core.lib.logstash.filter_delegator.RUBY$method$multi_filter$0(/usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:44)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:103)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:163)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:200)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:161)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:73)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:132)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:148)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:73)", "org.jruby.runtime.Block.call(Block.java:124)", "org.jruby.RubyProc.call(RubyProc.java:289)", "org.jruby.internal.runtime.methods.ProcMethod.call(ProcMethod.java:63)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:204)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:200)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$method$filter_batch$0(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:340)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$method$worker_loop$0(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:319)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$block$start_workers$2(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:285)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:145)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:71)", "org.jruby.runtime.Block.call(Block.java:124)", "org.jruby.RubyProc.call(RubyProc.java:289)", "org.jruby.RubyProc.call(RubyProc.java:246)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:104)", "java.lang.Thread.run(Thread.java:748)"], :thread=>"#<Thread:0x812622b sleep>"}
[2018-08-28T16:24:01,490][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"blocklist_ips", "exception"=>"8", "backtrace"=>["org.bouncycastle.crypto.digests.LongDigest.update(Unknown Source)", "org.bouncycastle.crypto.digests.LongDigest.update(Unknown Source)", "org.bouncycastle.jcajce.provider.digest.BCMessageDigest.engineUpdate(Unknown Source)", "java.security.MessageDigest.update(MessageDigest.java:325)", "org.jruby.ext.openssl.Digest.update(Digest.java:192)", "org.jruby.ext.openssl.Digest$INVOKER$i$1$0$update.call(Digest$INVOKER$i$1$0$update.gen)",
...

system · September 25, 2018, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.