Logstash Shield index_not_found_exception

Nww_Pot_Fung_Nng · June 26, 2016, 3:25am

Hi All,

I've setup shield on elasticsearch, kibana and logstash.

elasticseach and kibana are fine. But, I got the following error for logstash receiving events.

"error"=>{"type"=>"index_not_found_exception", "reason"=>"no such index", "index"=>"logstash.apache-2016.06.26", "resource.type"=>"index_expression", "resource.id"=>"logstash.apache-2016.06.26"}

If I manually create the indice logstash.apache-2016.06.26 using account logstash, it just works fine.

So, did I miss something?

elasticsearch {
hosts => ["https://localhost:9200"]
user => "logstash"
password => "logstash"
ssl => true
ssl_certificate_verification => false
cacert => '/appl/erp/elastic/elasticsearch-2.3.3/config/shield/rootCA.pem'
index => "logstash.%{type}-%{+YYYY.MM.dd}"
}

Regards,
fung

Nww_Pot_Fung_Nng · June 28, 2016, 1:57am

As a workaround, we need to create the indice manually in crontab.

0 0 * * * /bin/curl -k -u logstash:logstash -XPUT "https://localhost:9200/logstash.apache-date +\%Y.\%m.\%d" > cr_logstash_indices.log 2>&1

Anyone got any idea why logstash is not creating the indices? Before setting up Shield, everything works just fine. Please...

regards,
fung

Nww_Pot_Fung_Nng · June 28, 2016, 8:08am

It seems only me are having the problem.
It turns out to be the action.auto_create_index setting.