Post Upgrading ElasticSearch to 6.8.10 its not receiving data from Logstash(5.6.16)

vsudhaka · July 9, 2020, 4:15am

Hello,

I am new in using ELK stack.

I recently Upgraded Logstash from 5.6.13 -> 5.6.16 ,ElasticSearch Nodes from 5.6.16 -> 6.8.10 and Kibana from 5.6.16 -> 6.8.10.

I did not Upgrade Logstash and FileBeats to version 6.8.10 since it had the Backward compatibility.

Post Upgrade ElasticSearch is not receiving any data from Logstash.Below is the configuration file that have in place.

**input-beats-logstash**
input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => [ "10.199.202.51:9200", "10.199.202.52:9200", "10.199.202.53:9200" ]
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

input-syslog-logstash
input {
tcp {
port => 1514
type => syslog
}
udp {
port => 1514
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => [ "dfsyd1ela01:9200", "dfsyd1ela02:9200", "dfsyd1ela03:9200" ]
stdout { codec => rubydebug }
}
}

**output_elasticsearch_syd1**

output {
        elasticsearch {
                hosts => [ "10.199.202.51:9200", "10.199.202.52:9200", "10.199.202.53:9200"]
        }

}
``````````````````````````````````````
LogStash Debug Output:- 

root@dfsyd1log01:/etc/logstash/conf.d# /usr/share/logstash/bin/logstash -f logstash-syslog.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties

Can someone please help in resolving this issue.

Christian_Dahlqvist · July 9, 2020, 4:31am

In Elasticsearch 6.x an index can only support a single document type as document types are being deprecated. I see you are specifying document type in your output, and this could cause indexing errors if it took different values or conflicted with an index template.

vsudhaka · July 9, 2020, 4:53am

Thanks Chris for your suggestion.

I have now removed the document_type from the file.Please see below is the latest entries.

Is there a way I can test the ingestion to Elasticsearch nodes or can you suggest any better way of testing the data ingest to Elasticsearch?

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => [ "10.199.202.51:9200", "10.199.202.52:9200", "10.199.202.53:9200" ]
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

system · August 6, 2020, 4:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch not creating index post upgrade to version 6.8.10 from version 5.6.16 Elasticsearch	3	544	August 10, 2020
No logstash data showing up in kibana Kibana	3	300	November 6, 2020
ELK Stack upgraded, and logstash is not sending data to elasticsearch Logstash	5	1565	July 6, 2017
Logstash not processing new beat Logstash	2	292	February 28, 2019
Logstash parsing broken after upgrading from filebeat 5.6 to 7.6. Appears to be an issue with logs not getting tagged correctly Beats filebeat	2	516	March 25, 2020

Post Upgrading ElasticSearch to 6.8.10 its not receiving data from Logstash(5.6.16)

Related Topics