This is a new instance for testing purposes in a personal lab.
After setting up logstash and adding configuration I start the service. Logstash proceeds to run for a minute or two and just completely stops either receiving logs or sending them to elastic.
I'll stop/start the service and the same behavior happens.
I checked /var/log/logstash for the logs to find no errors/warnings.
Currently sending winlogbeats and netflows to the logstash instance.
Running all the latest components of ELK on a centos 7 server.
No instance of Fatal log events in the debug log file...
Tried pulling logstash out of the instance and giving it it's own VM, but I ran into the same issue. Logstash ships logs for a couple minutes then dies and stops all together.
Debug log shows that it seems to still be working business as usual despite elastic not receiving logs/netflows.
Interesting...I've run into Logstash performing the way you say but usually there is a FATAL event generated in the logs. Do you have any monitoring configured with X-Pack? What do you have the JVM memory heap set to?
The heap was set to 256m/1g, but wasn't seeing any issues with the cpu usage. I bumped it to 2g/2g to see if that helped, but still got the same issue.
Bumped the heap size for elastic as well to see if it that helped any, still same issue as before
Unfortunately haven't installed x-pack, i'll need to look into setting that up.
Turns out because netflows and winlogbeats were going over the same pipe with no filtering setup the events were getting mixed up. As soon as i created two different pipes for the different logs, events were ingesting just fine.
Would never have figured that out if I had never installed the x-pack.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
