Logstash is failing with response code 403 trying to publish events to closed filebeat indexes

Yuri_Sibirski · December 21, 2017, 2:37pm

Dear ELK specialists, for some reason i am seeing my logstash is failing with response code 403 by trying to publish events into closed indexes. Here are some entries from logstash-plain.log. Do you have any idea why it is happening and how can i fix it? Opening indexes helps to solve it but it's more like a workaround rather than a fix. I need to close indexes that are older than 2 weeks.

[2017-12-21T09:20:18,018][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[2017-12-21T09:20:20,022][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"index_closed_exception", "reason"=>"closed", "index_uuid"=>"Laz5seg6R6i45Sjd0v1mKQ", "index"=>"filebeat-2017.09.25"})
[2017-12-21T09:20:20,023][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[2017-12-21T09:20:24,028][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"index_closed_exception", "reason"=>"closed", "index_uuid"=>"Laz5seg6R6i45Sjd0v1mKQ", "index"=>"filebeat-2017.09.25"})
[2017-12-21T09:20:24,028][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[2017-12-21T09:20:31,979][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"index_closed_exception", "reason"=>"closed", "index_uuid"=>"hMKzRqruTmS63E_NI22D2A", "index"=>"filebeat-2017.09.21"})
[2017-12-21T09:20:31,979][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[2017-12-21T09:20:32,035][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"index_closed_exception", "reason"=>"closed", "index_uuid"=>"Laz5seg6R6i45Sjd0v1mKQ", "index"=>"filebeat-2017.09.25"})
[2017-12-21T09:20:32,035][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}

Christian_Dahlqvist · December 21, 2017, 7:33pm

Why do you need to close indices older than 2 weeks? How come you have data coming in with such a delay?

system · January 18, 2018, 7:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.