Logstash stopped processing because of an error: (SystemExit) exit

RomanKau · March 10, 2022, 1:07pm

Running Windows 10, Logstash 8.1.0, elasticsearch, kibana and filebeat 8.0.0 all on the same machine. I also tried running version 8.0.0 of Logstash but I get the same error.

Getting the data from filebeat to kibana works great but the problem is that the whole log is in the field message and we want to have a field for every value in this log. When trying to run:
</PS C:\Program Files\logstash-8.1.0\bin> .\logstash.bat -f first-pipeline.conf>

I get the following error:

OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to C:/Program Files/logstash-8.1.0/logs which is now configured via log4j2.properties
[2022-03-10T13:34:24,583][INFO ][logstash.runner          ] Log4j configuration path used is: C:\Program Files\logstash-8.1.0\config\log4j2.properties
[2022-03-10T13:34:24,596][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [mswin32-x86_64]"}
[2022-03-10T13:34:24,599][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-03-10T13:34:24,702][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-03-10T13:34:26,674][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-03-10T13:34:27,040][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [A-Za-z0-9_-], [ \\t\\r\\n], \"#\", \"=>\" at line 18, column 11 (byte 512) after output {\r\n\telasticsearch { hosts => [\"localhost:9200\"]\r\n\t\tusername", :backtrace=>["C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:376:in `block in converge_state'"]}
[2022-03-10T13:34:27,125][INFO ][logstash.runner          ] Logstash shut down.
[2022-03-10T13:34:27,135][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby.jar:?]
        at C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.lib.bootstrap.environment.<main>(C:\Program Files\logstash-8.1.0\lib\bootstrap\environment.rb:94) ~[?:?]

here is the pipeline which is in C:\Program Files\logstash-8.1.0\first-pipeline.conf:

 input {
	 beats {
        port => "5044"
    }
}
filter {
		grok {
        patterns_dir => ["./patterns"]
        match => { "message" => "%{DATESTAMP:DateTime},%{PName:Program},%{POSINT:ProcessID},%{POSINT:UsageCPU}" }
      }
    }
output {
	elasticsearch { hosts => ["localhost:9200"]
		username: "elastic"
		password: "my password" 
	}
}

Following this guide I have also created the pattern directory where the PName comes from: Grok filter plugin | Logstash Reference [8.0] | Elastic

C:\Program Files\logstash-8.1.0\patterns\filebeatpattern.txt

#regex for program name logfilebeat ex: kibana
PName [A-Za-z]\w+

Here is the structure of the log file:

DateTime, Program, PID, CPU Usage
08.03.2022 14:53:41,Chrome,1715,58

here is my current filebeat.yml configuration:

output.logstash:
 hosts: ["localhost:5044"]
 username: "elastic"
 password: "my password"

Is there something I misconfigured or forgot?
If there is any information that is missing I will provide them.

Any help would be appreciated.

Thank you in advance.

leandrojmp · March 10, 2022, 2:25pm

You have a configuration error, this is what this line means:

[2022-03-10T13:34:27,040][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [A-Za-z0-9_-], [ \\t\\r\\n], \"#\", \"=>\" at line 18, column 11 (byte 512) after output {\r\n\telasticsearch { hosts => [\"localhost:9200\"]\r\n\t\tusername", :backtrace=>["C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:376:in `block in converge_state'"]}

It also tells you where the error is:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [A-Za-z0-9_-], [ \t\r\n], "#", "=>" at line 18, column 11 (byte 512) after output {\r\n\telasticsearch { hosts => ["localhost:9200"]\r\n\t\tusername"

Your configuration error probably is here:

		username: "elastic"
		password: "my password"

It should be:

username => "elastic"
password => "my password"

RomanKau · March 14, 2022, 1:05pm

Hey @leandrojmp thank you for the quick answer.

after changing the pipeline config like you suggested:


input {
    beats {
       port => "5044"
   }
}

filter {
   	grok {
       patterns_dir => ["./patterns"]
       match => { "message" => "%{DATESTAMP:DateTime},%{PName:Program},%{POSINT:ProcessID},%{POSINT:UsageCPU}" }
     }
   }
output {
   elasticsearch { hosts => ["localhost:9200"]
   	username => "elastic"
   	password => "my password" 
   }
}

I think I still get the same error:

PS C:\Program Files\logstash-8.1.0\bin> .\logstash.bat -f first-pipeline.conf
"Using bundled JDK: ."
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to C:/Program Files/logstash-8.1.0/logs which is now configured via log4j2.properties
[2022-03-14T14:01:54,756][INFO ][logstash.runner          ] Log4j configuration path used is: C:\Program Files\logstash-8.1.0\config\log4j2.properties
[2022-03-14T14:01:54,771][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [mswin32-x86_64]"}
[2022-03-14T14:01:54,774][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-03-14T14:01:54,902][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-03-14T14:01:56,907][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-03-14T14:01:57,543][INFO ][org.reflections.Reflections] Reflections took 62 ms to scan 1 urls, producing 120 keys and 417 values
[2022-03-14T14:01:58,399][ERROR][logstash.outputs.elasticsearch] Unknown setting 'username' for elasticsearch
[2022-03-14T14:01:58,413][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.<init>(CompiledPipeline.java:120)", "org.logstash.execution.JavaBasePipelineExt.initialize(JavaBasePipelineExt.java:85)", "org.logstash.execution.JavaBasePipelineExt$INVOKER$i$1$0$initialize.call(JavaBasePipelineExt$INVOKER$i$1$0$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:837)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1169)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuperSplatArgs(IRRuntimeHelpers.java:1156)", "org.jruby.ir.targets.InstanceSuperInvokeSite.invoke(InstanceSuperInvokeSite.java:39)", "C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$initialize$0(C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:47)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:80)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:333)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:87)", "org.jruby.RubyClass.newInstance(RubyClass.java:939)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0(C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/pipeline_action/create.rb:50)", "C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0$__VARARGS__(C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/pipeline_action/create.rb:49)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:80)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.logstash_minus_core.lib.logstash.agent.RUBY$block$converge_state$2(C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:376)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:138)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:52)", "org.jruby.runtime.Block.call(Block.java:139)", "org.jruby.RubyProc.call(RubyProc.java:318)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.base/java.lang.Thread.run(Thread.java:829)"]}
warning: thread "Converge PipelineAction::Create<main>" terminated with exception (report_on_exception is true):
LogStash::Error: Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<main>`
          create at org/logstash/execution/ConvergeResultExt.java:135
             add at org/logstash/execution/ConvergeResultExt.java:60
  converge_state at C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:389
[2022-03-14T14:01:58,424][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<main>`"}
[2022-03-14T14:01:58,437][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<LogStash::Error: Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<main>`>, :backtrace=>["org/logstash/execution/ConvergeResultExt.java:135:in `create'", "org/logstash/execution/ConvergeResultExt.java:60:in `add'", "C:/Program Files/logstash-8.1.0/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}
[2022-03-14T14:01:58,448][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby.jar:?]
        at C_3a_.Program_20_Files.logstash_minus_8_dot_1_dot_0.lib.bootstrap.environment.<main>(C:\Program Files\logstash-8.1.0\lib\bootstrap\environment.rb:94) ~[?:?]

I have also tried removing the user and password from the pipeline config and this is what I get:

PS C:\Program Files\logstash-8.1.0\bin> .\logstash.bat -f first-pipeline.conf
"Using bundled JDK: ."
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to C:/Program Files/logstash-8.1.0/logs which is now configured via log4j2.properties
[2022-03-14T13:59:37,093][INFO ][logstash.runner          ] Log4j configuration path used is: C:\Program Files\logstash-8.1.0\config\log4j2.properties
[2022-03-14T13:59:37,109][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [mswin32-x86_64]"}
[2022-03-14T13:59:37,112][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-03-14T13:59:37,236][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-03-14T13:59:39,278][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-03-14T13:59:39,914][INFO ][org.reflections.Reflections] Reflections took 66 ms to scan 1 urls, producing 120 keys and 417 values
[2022-03-14T13:59:40,924][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2022-03-14T13:59:40,991][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2022-03-14T13:59:41,372][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2022-03-14T13:59:41,590][INFO ][logstash.outputs.elasticsearch][main] Failed to perform request {:message=>"localhost:9200 failed to respond", :exception=>Manticore::ClientProtocolException, :cause=>org.apache.http.NoHttpResponseException: localhost:9200 failed to respond}
[2022-03-14T13:59:41,596][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://localhost:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::ClientProtocolException] localhost:9200 failed to respond"}
[2022-03-14T13:59:41,632][INFO ][logstash.outputs.elasticsearch][main] Config is compliant with data streams. `data_stream => auto` resolved to `true`
[2022-03-14T13:59:41,636][WARN ][logstash.outputs.elasticsearch][main] Elasticsearch Output configured with `ecs_compatibility => v8`, which resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common Schema. Once ECS v8 and an updated release of this plugin are publicly available, you will need to update this plugin to resolve this warning.
[2022-03-14T13:59:41,647][WARN ][logstash.filters.grok    ][main] ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the Elastic Common Schema becomes available, this plugin will need to be updated
[2022-03-14T13:59:42,040][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>12, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1500, "pipeline.sources"=>["C:/Program Files/logstash-8.1.0/first-pipeline.conf"], :thread=>"#<Thread:0x2c3d9123 run>"}
[2022-03-14T13:59:43,033][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.99}
[2022-03-14T13:59:43,069][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
[2022-03-14T13:59:43,087][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2022-03-14T13:59:43,217][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2022-03-14T13:59:43,252][INFO ][org.logstash.beats.Server][main][862f319bd45309421faa592d7f85674799ac920365bb68ba843a9e4d8e4ce691] Starting server on port: 5044
[2022-03-14T13:59:46,663][INFO ][logstash.outputs.elasticsearch][main] Failed to perform request {:message=>"localhost:9200 failed to respond", :exception=>Manticore::ClientProtocolException, :cause=>org.apache.http.NoHttpResponseException: localhost:9200 failed to respond}

If you could help me with my issue I would really appreciate it.

Thanks in Advance.

leandrojmp · March 14, 2022, 1:08pm

The option is not username, it is user, you can check the available options for the output in the documentation.

RomanKau · March 14, 2022, 1:22pm

Hey @leandrojmp thank you for answering.

I've changed the username now to user and when starting the pipeline I get this:

[2022-03-14T14:18:50,713][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://elastic:xxxxxx@localhost:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::ClientProtocolException] localhost:9200 failed to respond"}

do I need to change the http to https somehow? Because that was an Issue I had when connecting filebeat to Elasticsearch.

Thank you in Advance.

leandrojmp · March 14, 2022, 1:41pm

This means that your Elasticsearch is not responding.

Is your Elasticsearch running on the same host as the logstash service?

RomanKau · March 14, 2022, 1:43pm

Yes. I have also restarted Elasticsearch because I thought maybe that could have been the issue.

leandrojmp · March 14, 2022, 1:47pm

Do you have something in Elasticsearch logs?

From the logstash error, there is not a running Elasticsearch instance listening on port 9200.

What do you get when you run curl http://elastic:your-password@localhost:9200 ?

RomanKau · March 14, 2022, 2:02pm

Hey,

do you mean the logs from elasticsearch.log? If so here they are after I restarted:

[2022-03-14T14:11:28,988][INFO ][o.e.n.Node               ] [VI216664] started
[2022-03-14T14:11:30,178][INFO ][o.e.l.LicenseService     ] [VI216664] license [96f42e48-7552-4965-a67c-3604204b95c3] mode [basic] - valid
[2022-03-14T14:11:30,180][INFO ][o.e.x.s.a.Realms         ] [VI216664] license mode is [basic], currently licensed security realms are [reserved/reserved,file/default_file,native/default_native]
[2022-03-14T14:11:30,189][INFO ][o.e.g.GatewayService     ] [VI216664] recovered [16] indices into cluster_state
[2022-03-14T14:11:32,537][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-Country.mmdb]
[2022-03-14T14:11:32,639][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-ASN.mmdb]
[2022-03-14T14:11:33,151][INFO ][o.e.c.r.a.AllocationService] [VI216664] current.health="YELLOW" message="Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.ds-filebeat-8.0.0-2022.02.24-000001][0], [.ds-ilm-history-5-2022.02.17-000001][0], [.kibana-event-log-8.0.0-000001][0]]])." previous.health="RED" reason="shards started [[.ds-filebeat-8.0.0-2022.02.24-000001][0], [.ds-ilm-history-5-2022.02.17-000001][0], [.kibana-event-log-8.0.0-000001][0]]"
[2022-03-14T14:11:33,755][INFO ][o.e.i.g.GeoIpDownloader  ] [VI216664] successfully downloaded geoip database [GeoLite2-ASN.mmdb]
[2022-03-14T14:11:33,854][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [VI216664] evicted [0] entries from cache after reloading database [C:\Users\derkau\AppData\Local\Temp\elasticsearch\geoip-databases\kvjiHaBFQnmfpm17aXuyRA\GeoLite2-ASN.mmdb]
[2022-03-14T14:11:33,855][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-ASN.mmdb]
[2022-03-14T14:11:34,091][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-City.mmdb]
[2022-03-14T14:11:36,117][INFO ][o.e.i.g.GeoIpDownloader  ] [VI216664] successfully downloaded geoip database [GeoLite2-City.mmdb]
[2022-03-14T14:11:36,670][INFO ][o.e.i.g.GeoIpDownloader  ] [VI216664] successfully downloaded geoip database [GeoLite2-Country.mmdb]
[2022-03-14T14:11:36,735][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [VI216664] evicted [0] entries from cache after reloading database [C:\Users\derkau\AppData\Local\Temp\elasticsearch\geoip-databases\kvjiHaBFQnmfpm17aXuyRA\GeoLite2-Country.mmdb]
[2022-03-14T14:11:36,737][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-Country.mmdb]
[2022-03-14T14:11:37,067][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [VI216664] evicted [0] entries from cache after reloading database [C:\Users\derkau\AppData\Local\Temp\elasticsearch\geoip-databases\kvjiHaBFQnmfpm17aXuyRA\GeoLite2-City.mmdb]
[2022-03-14T14:11:37,068][INFO ][o.e.i.g.DatabaseNodeService] [VI216664] successfully loaded geoip database file [GeoLite2-City.mmdb]
[2022-03-14T14:13:39,489][INFO ][o.e.t.LoggingTaskListener] [VI216664] 769 finished with response BulkByScrollResponse[took=179.9ms,timed_out=false,sliceId=null,updated=18,created=0,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2022-03-14T14:13:40,415][INFO ][o.e.t.LoggingTaskListener] [VI216664] 768 finished with response BulkByScrollResponse[took=1.1s,timed_out=false,sliceId=null,updated=1575,created=0,deleted=0,batches=2,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[2022-03-14T14:13:45,279][INFO ][o.e.x.i.a.TransportPutLifecycleAction] [VI216664] updating index lifecycle policy [.alerts-ilm-policy]
[2022-03-14T14:13:45,655][INFO ][o.e.x.i.a.TransportPutLifecycleAction] [VI216664] updating index lifecycle policy [.preview.alerts-security.alerts-policy]
[2022-03-14T14:18:45,621][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [VI216664] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59781}
[2022-03-14T14:18:50,707][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [VI216664] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59830}
[2022-03-14T14:18:55,773][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [VI216664] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:59833}

how would I run this command through cmd? or do I need some tool I'm missing?
When I run the curl command through PS I get this:

PS C:\Program Files\logstash-8.1.0\bin> curl http://elastic:mypassword@localhost:9200
curl : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:1
+ curl http://elastic:MDku8nGonqb7f65wgyM*@localhost:9200
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

when typing the url: localhost:9200 I get the response from elasticsearch:

{
  "name" : "VI216664",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "DaBmKq9sTgamx5NvQPAE2g",
  "version" : {
    "number" : "8.0.0",
    "build_flavor" : "default",
    "build_type" : "zip",
    "build_hash" : "1b6a7ece17463df5ff54a3e1302d825889aa1161",
    "build_date" : "2022-02-03T16:47:57.507843096Z",
    "build_snapshot" : false,
    "lucene_version" : "9.0.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Thank you in Advance.

leandrojmp · March 14, 2022, 2:44pm

Your elasticsearch is using https, so you should also use https in your logstash.

You will probably need to pass a path with the server certificates to logstash using the option cacert.

RomanKau · March 14, 2022, 3:23pm

Do I need to insert cacert in the pipeline in output? like this?

output {
	elasticsearch { hosts => ["https:\\localhost:9200"]
		user => "elastic"
		password => "mypassword" 
		cacert => "certificate"
	}
}

where is the certifcate for Elasticsearch https under which path?

Thanks in Advance.

leandrojmp · March 14, 2022, 3:32pm

Try without the cacert option and see if it works, if not, you need to point to the path with the certificated created by Elasticsearch.

I do not use version 8, so I do not know where those certificates are located.

RomanKau · March 15, 2022, 8:21am

It puts out the same error without cacert. Do you maybe know someone that is using version 8?

Thanks in Advance.

system · April 12, 2022, 8:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.