Hello,
Here is a rsyslog-logstash integration scenario. rsyslog is pumping filtered messages to logstash . logstash in turn sends data to elasticsearch. Something like a storage full event occurs on the elasticsearch host. This is when it seems like elasticsearch blocks further updates from logstash until the underlying storage problem is solved. Eventually logstash stalls rsyslog . rsyslog stops from logging messages .
what could be the issue here ?
One theory is that Logstash puts back pressure on rsyslog to stall data flowing into Logstash.
could this be the reason why rsyslog hangs ?
here is a snippet of the errors from logstash
[INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"})
[INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"})
[INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>1}
[INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"})
Thanks