Hi, we are testing ELK 6.6.1 on s390x platform (Linux on Z).
After starting the ELK 6.6.1 stack, everything seems working fine and we can see logs on Kibana UI, but logstash log has following entries from time to time:
[2019-07-07T12:11:35,834][INFO ][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:48148] Handling exception: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
[2019-07-07T12:11:35,834][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
javax.net.ssl.SSLException: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:895) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:882) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:824) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509) ~[?:1.8.0_212]
at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1019) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:825) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.wrapAndFlush(SslHandler.java:793) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.flush(SslHandler.java:774) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeFlush0(AbstractChannelHandlerContext.java:776) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeFlush(AbstractChannelHandlerContext.java:768) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$1500(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext$16.run(AbstractChannelHandlerContext.java:756) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) [netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404) [netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462) [netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-all-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.30.Final.jar:4.1.30.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
After turning on org.logstash.beats.BeatsHandler debug level tracing, we can see following pattern:
(normal pipeline processing...)
[2019-07-07T21:09:38,423][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Sending a new message for the listener, sequence: 73
[2019-07-07T21:09:38,427][DEBUG][org.logstash.beats.BeatsHandler] 5cc2452e: batches pending: false
[2019-07-07T21:09:38,429][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Received a new payload
[2019-07-07T21:09:38,430][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Sending a new message for the listener, sequence: 1
[2019-07-07T21:09:38,434][DEBUG][org.logstash.beats.BeatsHandler] 5cc2452e: batches pending: false
[2019-07-07T21:09:38,436][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:54172] Handling exception: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
javax.net.ssl.SSLException: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:895) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
(similar call stack like above)
...
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
[2019-07-07T21:09:38,439][INFO ][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:54172] Handling exception: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
[2019-07-07T21:09:38,440][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Received a new payload
[2019-07-07T21:09:38,440][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Sending a new message for the listener, sequence: 1
[2019-07-07T21:09:38,439][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
javax.net.ssl.SSLException: error:1e00007d:Cipher functions:OPENSSL_internal:INVALID_NONCE
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:895) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
(similar call stack like above)
...
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
[2019-07-07T21:09:38,444][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.10.165:34646] Sending a new message for the listener, sequence: 2
[2019-07-07T21:09:38,448][DEBUG][org.logstash.beats.BeatsHandler] 5cc2452e: batches pending: false
[2019-07-07T21:09:38,727][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:53042] Received a new payload
(started new sequence...)
[2019-07-07T21:09:38,727][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:53042] Sending a new message for the listener, sequence: 1
[2019-07-07T21:09:38,731][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:53042] Sending a new message for the listener, sequence: 2
[2019-07-07T21:09:38,734][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.1.79.146:5044, remote: 10.1.79.173:53042] Sending a new message for the listener, sequence: 3
...
It looks like that logstash recovered the exception and resumes processing logs from filebeat (version is 6.6.1)
Any idea what's going on here? How can we find the root cause of this issue?
Best regards.