Logstash.filters.elasticsearch "Read timed out"

gregorys · February 17, 2022, 6:50pm

Hi,

I'm using Logstash 7.17 against Elasticsearch 7.16 cluster.
The filter is working for about 9/10 events, but sometimes it fails with this error:

"Failed to query Elasticsearch for previous event", "Read timed out"
Full log:

[2022-02-17T16:30:47,078][DEBUG][logstash.filters.elasticsearch][vault] Querying elasticsearch for lookup {:params=>{:index=>"vault-2022.02.17", :q=>"context.vaultSecretKey:2ff1f7e8-b6c1-49aa AND auth.claims.client_id:client.inventory AND msg:Retrieve credentials", :size=>1, :sort=>"@timestamp:desc"}}

[2022-02-17T16:30:57,177][WARN ][logstash.filters.elasticsearch][vault] Failed to query elasticsearch for previous event {:index=>"vault-%{+YYYY.MM.dd}", :query=>"context.vaultSecretKey:2ff1f7e8-b6c1-49aa AND auth.claims.client_id:client.inventory AND msg:Retrieve credentials", :event=>{"program"=>"@cee", "lvl"=>"NOTICE", "uid"=>417440, "tracking"=>{"cid"=>"CID-6279a2a9b1b788ebe49b257935879d81", "app"=>"cm_external", "rid"=>"RID-35a863b27b926d037dae7071504688fe", "ip"=>"192.168.3.4"}, "@timestamp"=>2022-02-17T15:30:43.977Z, "logsource"=>"web-cm-extern", "auth"=>{"claims"=>{"client_id"=>"client.inventory", "name"=>"Gregory", "amr"=>"external", "ImpersonatedByUserId"=>nil, "ImpersonatedBy"=>nil, "sub"=>"417440"}, "type"=>"Bearer token"}, "context"=>{"vaultSecretKey"=>"2ff1f7e8-b6c1-49aa"}, "host"=>"secsyslog", "@version"=>"1", "path"=>"/var/log/HOSTS/web-cm-extern/2022/02/17/local1.log", "timestamp"=>"Feb 17 16:30:43", "ts"=>"2022-02-17T16:30:42.3739826+01:00", "msg"=>"read secret"}, :error=>"Read timed out", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.8.0-java/lib/manticore/response.rb:36:in `block in initialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.8.0-java/lib/manticore/response.rb:79:in `call'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.8.0-java/lib/manticore/response.rb:274:in `call_once'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.8.0-java/lib/manticore/response.rb:158:in `code'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-7.16.3/lib/elasticsearch/transport/transport/http/manticore.rb:106:in `block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-7.16.3/lib/elasticsearch/transport/transport/base.rb:289:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-7.16.3/lib/elasticsearch/transport/transport/http/manticore.rb:85:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-7.16.3/lib/elasticsearch/transport/client.rb:197:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-7.16.3/lib/elasticsearch.rb:41:in `method_missing'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-api-7.16.3/lib/elasticsearch/api/actions/search.rb:104:in `search'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-elasticsearch-3.11.0/lib/logstash/filters/elasticsearch/client.rb:39:in `search'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-elasticsearch-3.11.0/lib/logstash/filters/elasticsearch.rb:133:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:299:in `block in start_workers'"]}

The filter:

  if [msg] == "read secret" and [auth][claims][client_id] == "client.inventory" {
    elasticsearch {
      hosts => "https://masked:9200"
      ca_file => "/etc/logstash/elastic-ca.pem"
      index => "vault-%{+YYYY.MM.dd}"
      user => "masked"
      password => "masked"
      query => "context.vaultSecretKey:%{[context][vaultSecretKey]} AND auth.claims.client_id:client.inventory AND msg:Retrieve credentials"
      fields => {
        "[context][tag]" => "[context][tag]"
        "[context][login]" => "[context][login]"
        "[context][name]" => "[context][name]"
      }
    }
  }

This filter is triggered about 300 times/24h, the cluster is not heavily used and I don't see any reason why it would take over 10s for this query to return a result. Takes a couple of millisec normally, the index size is only 30-40MB daily.

Can I get more information why it returns a "Read timed out", or is there a way to set a retry when such an error occurs?

Tomo_M · February 20, 2022, 12:45pm

Though I have no idea about the reason and how to deal with it. Some hints could be found in elasticsearch log or Slow log.

It could be possible by duplicate the filter with if clause on ["_elasticsearch_lookup_failure"] tag.

system · March 20, 2022, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Read timed out when using Elasticsearch filter in pipeline Logstash	1	690	February 11, 2022
Failed to query elasticsearch for previous event Logstash	1	1784	July 6, 2017
Timeout in Logstash Elasticsearch Filter and Elasticsearch Output Logstash	1	1849	June 6, 2022
Elasticsearch filter plugin Logstash	1	479	September 7, 2017
Logstash querying elasticsearch timeout error Logstash	5	882	August 28, 2023

Logstash.filters.elasticsearch "Read timed out"

Related Topics