Problem adding Logstash to Kibana monitoring

pszemesy · November 21, 2018, 7:34am

Hi All,

I have a problem to add Logstash monitoring to Kibana. I have followed the configuration guidelines, but the Logstash widget does not appear on Kibana Monitoring tab.

My logstash.yml:
node.name: node-1
path.data: /var/lib/logstash
path.logs: /var/log/logstash
# X-Pack Monitoring
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: password
#xpack.monitoring.elasticsearch.url: ["http://192.168.16.124:9200"]
#xpack.monitoring.elasticsearch.ssl.ca: [ "/path/to/ca.crt" ]
#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
#xpack.monitoring.elasticsearch.ssl.truststore.password: password
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.monitoring.elasticsearch.ssl.keystore.password: password
#xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
#xpack.monitoring.elasticsearch.sniffing: false
#xpack.monitoring.collection.interval: 10s
#xpack.monitoring.collection.pipeline.details.enabled: true
#
# X-Pack Management
# https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html
#xpack.management.enabled: true
#xpack.management.pipeline.id: ["main", "apache_logs"]
#xpack.management.elasticsearch.username: elastic
#xpack.management.elasticsearch.password: password
#xpack.management.elasticsearch.url: ["http://192.168.16.124:9200"]
#xpack.management.elasticsearch.ssl.ca: [ "/path/to/ca.crt" ]
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
#xpack.management.elasticsearch.ssl.truststore.password: password
#xpack.management.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.management.elasticsearch.ssl.keystore.password: password
#xpack.management.elasticsearch.ssl.verification_mode: certificate
#xpack.management.elasticsearch.sniffing: false
#xpack.management.logstash.poll_interval: 5s

ES and Kibana appears on the Kibana"s Monoitoring tab, but Logstash does not.
Have you got any idea what have I missed? Thanks!

aravindputrevu · November 21, 2018, 7:44am

May I know which version of Elasticsearch, Kibana and Logstash you are using?

Also, just in case, if you haven't seen these are the instructions to configure logstash monitoring for latest version 6.5

pszemesy · November 21, 2018, 7:58am

Sorry, I did not mentioned the version - it is 6.4.1 (all of the products).
I have followed that instruction, but the expected result was not reached.

chrisronline · November 21, 2018, 2:16pm

What is your cluster setup like? Do you have a single cluster for everything, or do you have a dedicated monitoring cluster?

pszemesy · November 22, 2018, 5:38am

It is a development site, so single cluster for everything.

shaunak · November 22, 2018, 9:17am

Could you restart Logstash and post the first 50 lines of logs? I want to see if there are any errors or other messages related to Monitoring. Thanks.

pszemesy · November 22, 2018, 12:54pm

Hi,

Please find it below:
[2018-11-22T13:48:57,699][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.4.1"}
[2018-11-22T13:48:57,964][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/logstash/conf.d/.conf"}
[2018-11-22T13:49:01,725][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch bulk_path=>"/_xpack/monitoring/_bulk?system_id=logstash&system_api_version=2&interval=1s", password=>, hosts=>[http://localhost:9200], sniffing=>false, manage_template=>false, id=>"2a5bb8c07e5addf47bc222c03efa114ade32f5cbb3114ae9a3443541240db08e", user=>"logstash_system", document_type=>"%{[@metadata][document_type]}", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_dbb705e1-636d-40a6-84f9-cbcc21e9c46a", enable_metric=>true, charset=>"UTF-8">, workers=>1, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
[2018-11-22T13:49:01,914][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>50}
[2018-11-22T13:49:03,245][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://logstash_system:xxxxxx@localhost:9200/]}}
[2018-11-22T13:49:03,285][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2018-11-22T13:49:04,025][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://logstash_system:xxxxxx@localhost:9200/"}
[2018-11-22T13:49:04,144][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-11-22T13:49:04,153][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-11-22T13:49:04,281][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://localhost:9200"]}
[2018-11-22T13:49:04,536][INFO ][logstash.licensechecker.licensereader] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://logstash_system:xxxxxx@localhost:9200/]}}
[2018-11-22T13:49:04,540][INFO ][logstash.licensechecker.licensereader] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2018-11-22T13:49:04,555][WARN ][logstash.licensechecker.licensereader] Restored connection to ES instance {:url=>"http://logstash_system:xxxxxx@localhost:9200/"}
[2018-11-22T13:49:04,563][INFO ][logstash.licensechecker.licensereader] ES Output version determined {:es_version=>6}
[2018-11-22T13:49:04,564][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-11-22T13:49:04,868][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x40dd8425 run>"}
[2018-11-22T13:49:04,989][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:".monitoring-logstash"], :non_running_pipelines=>[]}
[2018-11-22T13:49:05,025][INFO ][logstash.inputs.metrics ] Monitoring License OK
[2018-11-22T13:49:05,620][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-11-22T13:49:11,268][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x40dd8425 run>"}
[2018-11-22T13:50:01,356][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.4.1"}
[2018-11-22T13:50:01,750][INFO ][logstash.config.source.local.configpathloader] No config files found in path {:path=>"/etc/logstash/conf.d/.conf"}
[2018-11-22T13:50:06,549][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch bulk_path=>"/_xpack/monitoring/_bulk?system_id=logstash&system_api_version=2&interval=1s", password=>, hosts=>[http://localhost:9200], sniffing=>false, manage_template=>false, id=>"2a5bb8c07e5addf47bc222c03efa114ade32f5cbb3114ae9a3443541240db08e", user=>"logstash_system", document_type=>"%{[@metadata][document_type]}", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_5b891dff-8af6-47e5-8a3d-6aec2639472d", enable_metric=>true, charset=>"UTF-8">, workers=>1, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
[2018-11-22T13:50:06,716][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>50}
[2018-11-22T13:50:07,677][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://logstash_system:xxxxxx@localhost:9200/]}}
[2018-11-22T13:50:07,721][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2018-11-22T13:50:08,276][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://logstash_system:xxxxxx@localhost:9200/"}

Thanks,
P.

shaunak · November 22, 2018, 5:20pm

Thanks for the log. I don't see anything abnormal there. Next, while your Logstash node is running, could you run curl -v http://localhost:9600/_node/pipelines from the same machine and post the results here?

pszemesy · November 23, 2018, 8:51am

Hi,
I have checked it the connection is refused.
I have checked the opened ports on the server and logstash does not opened any ports - although the port opening was ment to be successful in the log.
[2018-11-22T13:49:05,620][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

My colleague mentioned I may have to use JAVA setcap in order to open the port - but port 9600 is not privileged as far as I know?!

system · December 21, 2018, 8:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.