New logstash server in Azure elastic 3 node cluster

HeadScratcher · November 19, 2017, 8:40pm

this weekend i've been attempting to get my cluster running.
I chose the Azure market place Elastic/Kibana/X-PACK setup and configured it like this

Single Subnet 10.0.0.0/24
3 data nodes 10.0.0.6, 10.0.0.7, 10.0.0.8
Internal Load Balancer 10.0.0.4
1 Kibana Server 10.0.0.5

When everything had installed, i could access the kibana site via the public address and see the cluster state etc.. but i had no way of pushing data into the 3 data nodes that are running elasticsearch.

From the kibana server i can telnet to ports 9200 and 9300 on the three nodes.

After adding an external IP to each of the three nodes, telnetting to them, i can also see 'back' to the kibana server.

So i install Logstash onto the Kibana server and configure a plugin to pull data from a soure and push it to one of the data nodes... i start getting problems... and just to cover the loadbalancer issue, i tried pushing to that also.

i have three issues i think;

can i see in the monitoring page in kibana, the log stash server as part of the cluster or am i not able to do this? or shouldn't ?!

i tried pushing data to the ES cluster and got this error

{:timestamp=>"2017-11-19T19:58:39.159000+0000", :message=>"An unexpected error occurred!", :error=>#<URI::InvalidURIError: path conflicts with opaque>, :class=>"URI::InvalidURIError", :backtrace=>["/opt/logstash/vendor/jruby/lib/ruby/1.9/uri/generic.rb:815:in check_path'", "/opt/logstash/vendor/jruby/lib/ruby/1.9/uri/generic.rb:870:inpath='", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client.rb:178:in host_to_url'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client.rb:109:inbuild_client'", "org/jruby/RubyArray.java:2414:in map'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client.rb:109:inbuild_client'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client.rb:20:in initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:40:inbuild'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch.rb:132:in build_client'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/common.rb:14:inregister'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/output_delegator.rb:75:in register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:173:instart_workers'", "org/jruby/RubyArray.java:1613:in each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:173:instart_workers'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:126:in run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/agent.rb:210:inexecute'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/runner.rb:90:in run'", "org/jruby/RubyProc.java:281:incall'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/runner.rb:95:in run'", "org/jruby/RubyProc.java:281:incall'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.22/lib/stud/task.rb:24:in `initialize'"], :level=>:warn}

using the following plugin;

input {
twitter {
consumer_key => "REDACTED"
consumer_secret => "REDACTED"
oauth_token => "REDACTED"
oauth_token_secret => "REDACTED"
keywords => ["Call of Duty"]
full_tweet => true
}
}

output {
elasticsearch {
hosts => "10.0.0.4" <---- tried also the other ES IP addresses
bind_port => 9300
index => "*"
cluster => "Intel-CL"
document_type => "Twitter"
node_name => 'intelkibana'
}
}

Also i'm not seeing any connections on any of the ES servers running netstat -nlp so its like the Logstash service running on Kibana isn't even connecting, yet i know the ports are open. So should i have a dedicated logstash server? should i not have logstash running on the kibana server?

is there any documentation/blogs of anyone who's run the same Azure market place setup ( near enough ) and then added a logstash server into the same subnet and configured it to push data to the ES nodes? as all the research and the blind alleys i've gone down this weekend , two days of chasing links and testing ideas based on Bitnami, LOGZ.IO and many other examples, i seriously do not understand why there is so much information but none of it is relevant to logstash and clusters... plenty of base data, but nothing on how to pull it all together.

I could instead just create one single large VM in azure, install ELK and have it running in about an hour, but i thought i'd try the clustering approach and use the market place.... im thinking this is a mistake as the market place product should be complete and not half finished as it is, and should have some sort of information on how to push info into it, as on it's own, its pretty useless from my point of view.

warkolm · November 19, 2017, 9:14pm

If you install X-Pack in Logstash too, yes.
These settings are not valid

You may want to read Elasticsearch output plugin | Logstash Reference [6.0] | Elastic

HeadScratcher · November 20, 2017, 8:43am

so if i create a separate logstash server in the same subnet, then install xpack that will allow it to participate ?

Then kibana server is part of the cluster and has logstash installed on it..or is there a plugin for logstash regarding xpack ?

warkolm · November 20, 2017, 8:55am

You can run Logstash on the same host as Kibana, you just need to install X-Pack as a Logstash plugin to see it in the Monitoring page - https://www.elastic.co/guide/en/logstash/6.0/setup-xpack.html

HeadScratcher · November 20, 2017, 8:56am

ahhhh

thanks

HeadScratcher · November 20, 2017, 10:45am

So i looked at https://www.elastic.co/guide/en/logstash/6.0/setup-xpack.html and followed the instructions..

then i ran this to install direct from the internet....

( notice all documentation says to use "logstash-plugin" instead of "plugin" which isn't the case in my 2.2.4 install as i have no logstash-plugin file to run)

elkman@Intelkibana:/opt/logstash/bin$ sudo ./plugin install x-pack
Validating x-pack
x-pack is not a Logstash plugin
ERROR: Installation aborted, verification failed for x-pack

the logstash plugin its basically one .gem file, which i extracted and put into /opt/logstash dir then ran this command...

sudo ./plugin install /opt/logstash/x-pack-6.0.0-java.gem

i get this message:

elkman@Intelkibana:/opt/logstash/bin$ sudo ./plugin install /opt/logstash/x-pack-6.0.0-java.gem
Validating /opt/logstash/x-pack-6.0.0-java.gem
Installing x-pack
Error Bundler::GemspecError, retrying 1/10
There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in eval_gemspec' Error Bundler::GemspecError, retrying 2/10 There was a Errno::ENOENT while loading x-pack.gemspec: No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:ineval_gemspec'
Error Bundler::GemspecError, retrying 3/10
There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in eval_gemspec' Error Bundler::GemspecError, retrying 4/10 There was a Errno::ENOENT while loading x-pack.gemspec: No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:ineval_gemspec'
Error Bundler::GemspecError, retrying 5/10
There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in eval_gemspec' Error Bundler::GemspecError, retrying 6/10 There was a Errno::ENOENT while loading x-pack.gemspec: No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:ineval_gemspec'
Error Bundler::GemspecError, retrying 7/10
There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in eval_gemspec' Error Bundler::GemspecError, retrying 8/10 There was a Errno::ENOENT while loading x-pack.gemspec: No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:ineval_gemspec'
Error Bundler::GemspecError, retrying 9/10
There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in eval_gemspec' Error Bundler::GemspecError, retrying 10/10 There was a Errno::ENOENT while loading x-pack.gemspec: No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:ineval_gemspec'
Too many retries, aborting, caused by Bundler::GemspecError
ERROR: Installation Aborted, message: There was a Errno::ENOENT while loading x-pack.gemspec:
No such file or directory - /opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/VERSION from
/opt/logstash/vendor/local_gems/0d15e0fe/x-pack-6.0.0-java/x-pack.gemspec:3:in `eval_gemspec'

what am i doing wrong ? i thought you could pull down the plugins from a repo of some kind and it will install

HeadScratcher · November 20, 2017, 2:54pm

scouring the internet for information, everything seems to point towards installing x-pack into an ES instance then installing the x-pack plugin into logstash that is sitting on the same machine as ES, but nothing about installing logstash x-pack plugin as a stand alone.

As the market place install of my 3 node cluster and 1 kibana vm already has x-pack installed, i opted to install logstash on the kibana vm and try to get the x-pack logstash plugin installed.... no such luck.

Anyone come across running or installing the x-pack plugin into logstash before ?

warkolm · November 20, 2017, 7:03pm

X-Pack for Logstash is not available for 2.X, is there a reason you cannot upgrade?

przemolb · November 21, 2017, 9:50am

Can I install Logstash on Kibana host without using X-Pack ?

warkolm · November 21, 2017, 10:02am

Yes but you won't see Logstash in Monitoring.

przemolb · November 21, 2017, 11:09am

Hmm, AFAIR X-Pack is commercial. So we have to buy it, right ?

Christian_Dahlqvist · November 21, 2017, 11:12am

X-Pack is commercial, but there is a Basic License that is free and gives access to Monitoring. You just need to register for it.

system · December 19, 2017, 11:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.