:message=>"Failed action. ", :status=>404, :action=>["index",

thomas.dotreppe · December 9, 2015, 6:06pm

I receive very long log entries with issues such as these (this one is truncated) every few seconds in the logs:

{:timestamp=>"2015-12-09T10:51:52.061000-0700", :message=>"Failed action. ", :status=>404, :action=>["index", {:_id=>nil, :_index=>"logstash-2015.12.09", :_type=>"fortinet",

It happens with LS 2.1.1 and ES 2.1 (or 1.7.3). However my output configuration is much simpler:

output {
        if [type] != 'heartbeat' {
                elasticsearch {
                        hosts => [ "localhost:9200" ]
                }
        }
}

Using the Official Java 8:

java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

Checking for indices with curl 'localhost:9200/_cat/indices?v' works just fine and returns me the complete list.

I found a topic with a similar message (Logstash "doc_as_upsert" --> Error 404) however, the 'action' is different.

I'm not using shield and ES is only listening on localhost (LS is on the same system). What could be the cause of the issue and how should I fix it?

warkolm · December 10, 2015, 3:36am

Can you post the entire error?

thomas.dotreppe · December 10, 2015, 4:58pm

It just contains a bunch of events/log entries (you can see the beginning of them at the end of the truncated message). I don't think it would be that useful. Let me know if I'm wrong.

thomas.dotreppe · December 14, 2015, 11:19pm

There you go: https://gist.github.com/ThomasdOtreppe/24ca591ac6d3b478a093

Does it help?

warkolm · December 14, 2015, 11:58pm

Was there a corresponding error in ES at the same time?

thomas.dotreppe · December 15, 2015, 12:16am

There is nothing around that time. The closest I can find is probably 20 seconds before or at least 40 seconds later and I don't think it's related:

[2015-12-09 14:54:01,154][DEBUG][action.bulk              ] [Dark-Crawler] observer: timeout notification from cluster service. timeout setting [1m], time since start [1m]

thomas.dotreppe · December 16, 2015, 5:45pm

Anything else I should check?

vtst2412 · December 16, 2015, 6:04pm

According to the response, your ES instance might be choking up on the bulk indexing request:

response=>{"create"=>{"_index"=>"logstash-2015.12.09", "_type"=>"sophos", "_id"=>"AVGKPGYwuOQZauVwWJy6", "status"=>404, "error"=>"EngineClosedException[[logstash-2015.12.09][3] CurrentState[CLOSED] ]"}

Looks like a warning though, I wouldn't worry about it. How much heap space are you allocating to ES?

thomas.dotreppe · December 16, 2015, 6:15pm

on that one, the default value, so probably 2g.

vtst2412 · December 16, 2015, 6:30pm

According to the comment in the source code, this happens when a request is in-bound while the shard is closing. For more high level root cause, we will probably need the logs from ES side.

thomas.dotreppe · December 16, 2015, 6:42pm

Weird, it didn't seem it was closing when I looked at the log, I only could see those:

[2015-12-09 14:54:01,154][DEBUG][action.bulk              ] [Dark-Crawler] observer: timeout notification from cluster service. timeout setting [1m], time since start [1m]

thomas.dotreppe · December 21, 2015, 9:04pm

Any objection about opening a bug report about this? Anything else I should check?

thomas.dotreppe · December 30, 2015, 12:28am

Anywhere else I can look?