Logstash with Slack plugin cannot be monitored in Kibana

Bob04 · June 21, 2017, 7:03pm

Hi All,

After installing Slack plugin, Logstash cannot be monitored from Kibana, though it sends data to Elasticsearch.

This is a Dockerfile:

FROM logstash:5.3.0

RUN logstash-plugin install logstash-output-slack

COPY logstash.conf /usr/share/logstash/pipeline/

CMD ["-f", "/usr/share/logstash/pipeline/logstash.conf"]

logstash.yml:

http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.url: http://elasticsearch:9200
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: changeme

logstash.conf:

input {
  file {
    path => "..."
  }
}

filter {
}

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
  }
}

This is Logstash log, no errors:

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
13:07:07.016 [[main]-pipeline-manager] WARN  logstash.outputs.elasticsearch - Restored connection to ES instance {:url=>#<URI::HTTP:0x1bf96cf0 URL:http://elasticsearch:9200/>}
13:07:07.028 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Using mapping template from {:path=>nil}
13:07:11.716 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
13:07:12.804 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x1c35e08f URL://elasticsearch:9200>]}
13:07:13.011 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
13:07:13.013 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
13:07:13.099 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Using mapping template from {:path=>nil}
13:07:13.116 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
13:07:14.329 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x6811b41d URL://elasticsearch:9200>]}
13:07:14.651 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
13:07:14.657 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
13:07:16.546 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
13:07:16.549 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elasticsearch:9200/, :path=>"/"}
13:07:16.665 [[main]-pipeline-manager] WARN  logstash.outputs.elasticsearch - Restored connection to ES instance {:url=>#<URI::HTTP:0x276270dd URL:http://elasticsearch:9200/>}
13:07:17.111 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Using mapping template from {:path=>nil}
13:07:17.334 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
13:07:17.359 [[main]-pipeline-manager] INFO  logstash.outputs.elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>[#<URI::Generic:0x2521153b URL://elasticsearch:9200>]}
13:07:20.144 [[main]-pipeline-manager] INFO  logstash.pipeline - Starting pipeline {"id"=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>125}
13:07:21.026 [[main]-pipeline-manager] INFO  logstash.pipeline - Pipeline main started
13:07:23.069 [Api Webserver] INFO  logstash.agent - Successfully started Logstash API endpoint {:port=>9600}

Elasticsearch doesn't have any logs regarding this issue.

Logstash without Slack plugin installed and with the same configuration settings works just fine.

What could be a reason of such behavior?

Bob04 · June 22, 2017, 8:32pm

Is this something that is expected or it could be a bug?

magnusbaeck · June 26, 2017, 5:22am

So you're saying that if you remove RUN logstash-plugin install logstash-output-slack from your dockerfile and try again, Logstash is once again sending monitoring data that can be viewed in Kibana?

Bob04 · June 26, 2017, 3:28pm

Hi Magnus.

For some reason after removing RUN logstash-plugin install logstash-output-slack from Dockerfile, Logstash still cannot be viewed from Kibana. But it is fully functional and works well.

Do you know why this happens?

Bob04 · June 28, 2017, 4:41pm

@magnusbaeck I am just wondering if you have any thoughts or suggestions about that?
This behavior is quite unclear for me, since there are no any error logs in ES saying that Logstash is not able to connect to ES. Moreover, Logstash works very well.

magnusbaeck · June 28, 2017, 5:19pm

I don't know what's going on here.

system · July 26, 2017, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.