Logstash "sniffing" argument in the output configuration

I'm currently in the throws of implementation and come across something confusing. Hopefully one of you experts can help me out.

First, my output code block which is in a separate file from the inputs: 90-ES_output.conf

output {
elasticsearch {
hosts => ["roundrobindns.mydomain.local:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

In this configuration, if I tail the logs, I get several (one every 2 seconds or so) of these messages:

Oct 26 19:10:09 myserver logstash[9785]: [2018-10-26T19:10:09,899][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [][Manticore::SocketException] Connection refused (Connection refused)"}

Prior to that logstash is happy to start on my default beats port and query my cluster of elasticsearch boxes. It doesn't seem that logstash functionality is inhibited or problematic with this error. However, if I drop the 'sniffing => true' from my code block, the 'tail'ed syslog no longer produces that error.

Is it by design that sniffing for new cluster nodes looks for the loopback?

Probably the X-Pack monitoring URL setting in logstash.yml that causes this.

I read some posts about that and configured my logstash.yml accordingly (at least I think so). Full disclosure, I haven't read enough on what the free version of xpack includes and what it doesn't in terms of how I need to configure my *.yml files.

I do have these lines in my logstash.yml configured as such:

xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.url: ["roundrobindns.mydomain.local:9200"]

xpack.management.enabled: false
xpack.management.elasticsearch.url: ["roundrobindns.mydomain.local:9200"]

Well, that looks correct (if those really are the settings in use).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.