Logstash stops processing after forbidden index write

hlamsc · February 3, 2020, 2:53pm

Hello,

our logstash stops processing all logs after a few FORBIDDEN/8/index write errors. I guess those are documents that have an old timestamp and the index for that timerange is already frozen.
I believe we had a similar error a few month back and the only way we found out which index / time was meant was by snooping and find the packets related to those error messages. We then set the index from ready_only to write again and restarted logstash and everything was fine.

Neither in logstash nor elasticsearch are entries that indicate which index is causing this.
Is there an easier / more comfortable way to find out which index is the root cause for this?

Thanks and best regards!

hlamsc · February 5, 2020, 1:18pm

While it would have been useful for analysis, we are now moving forward and add config so that we use the system time for index creation not the value from @timestamp.

ruby {
code => 'event.set("[@metadata][now]", Time.now.strftime("%Y.%m.%d"))'
}

and

  index => "logstash-%{[@metadata][tmplevel]}-%{[@metadata][now]}"

system · March 4, 2020, 1:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash pipeline blocks every write if one index isn't available Logstash	1	228	July 6, 2020
Clearing FORBIDDEN/8/index write (api) blocked bulk actions Logstash	1	1016	June 30, 2020
FORBIDDEN/8/index write (api) - During date change on indexes Elasticsearch ilm-index-lifecycle-management	10	19324	June 15, 2019
Logstash and frozen index Logstash	5	548	December 28, 2020
Logstash, Could not index event to Elasticsearch Logstash	4	1588	August 4, 2020

Logstash stops processing after forbidden index write

Related Topics