We have ELK s/w setup in one server(serverA) and logstash-forwarder (in a remote server-ServerB), forwarding logs to ELK server(ServerA).
Everything works fine if both server are up and running.
If logstash-forwarder service is stopped for some reason and reinvoked after 24 hours , the logs with timestamp older than 24 hours (timestamp)are not transferred to the ELK server (ServerA).
What am i missing here?
This is the logstash.conf
input {
lumberjack {
port => 5000
#type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
output {
elasticsearch
{
hosts => ["127.0.0.1:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
#stdout { codec => rubydebug }
}
~
Logstash-forwarder conf
{
"network": {
# A list of downstream servers listening for our messages.
# logstash-forwarder will pick one at random and only switch if
# the selected one appears to be dead or unresponsive
"servers": [ "<ServerA_IP>:5000" ],
# The path to your client ssl certificate (optional)
#"ssl certificate": "./logstash-forwarder.crt",
# The path to your client ssl key (optional)
"ssl key": "/etc/pki/tls/private/lumberjack.key",
# The path to your trusted ssl CA file. This is used
# to authenticate your downstream server.
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",
"ssl ca": "/etc/pki/tls/certs/lumberjack.crt",
# Network timeout in seconds. This is most important for
# logstash-forwarder determining whether to stop waiting for an
# acknowledgement from the downstream server. If an timeout is reached,
# logstash-forwarder will assume the connection or server is bad and
# will connect to a server chosen at random from the servers list.
"timeout": 15
},
"files": [
{
"paths": [
"/opt/JBOSS_FUSE/JBOSS/data/log/ECMLApp.log*"
],
"dead time": "2400h",
"fields": { "type": "ecmlApp logs" }
}
]