Ruby exception occurred: Detected invalid array contents due to unsynchronized modifications with concurrent users


(madhur) #1

I use Elasticsearch 5.6.2 ; logstash 5.6.2 ; filebeat 5.6.2

This is how my filebeat looks like-

filebeat.prospectors:


- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\ss_log*.log
  document_type: ss_log
  multiline.pattern: '^\s*[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\ss_cloud_out_log*.log
  document_type: ss_cloud_out_log
  multiline.pattern: '^\s*[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- input_type: log

  paths:
     - C:\Users\madhur_yadav\Documents\My Received Files\project177\event.log
  document_type: acp_event
 

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\alert.log
  document_type: acp_alerts

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\vr_log*.log
  document_type: vr_log

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\SM*.log
    - C:\Users\madhur_yadav\Documents\My Received Files\project77\SMGC*.log
  document_type: xs_sm_log

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\Vpxa*.log
  document_type: vpxa_log
  multiline.pattern: '^\s*[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\vmkernel*.log
  document_type: vmkernel_log

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\vmkwarning*.log
  document_type: vmkwarning_log

- input_type: log

  paths:
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\vmksummary*.log
  document_type: vmksummary_log

- input_type: log

  paths:  
    - C:\Users\madhur_yadav\Documents\My Received Files\project177\inventory*.log
  document_type: inventory_data


#================================ General =====================================

fields_under_root: true
fields:
  logstash-forwarder-token: $some_forwarder_token_number_that_can't_be_disclosed $
  project_id: $some_project_id_that_can't_be_disclosed$
  project_timezone: America/Los_Angeles



#----------------------------- Logstash output --------------------------------
output.logstash:
 
  hosts: ["localhost:5044"]

  bulk_max_size: 4096
  timeout: 300

****************___________

My logstash looks like this -

input {
     beats {
       port => "5044"
	   client_inactivity_timeout => "120"
	   ssl => true
	   ssl_certificate => $path to ssl_certificate $
       ssl_key =>$path to ssl_key $
     }
}

filter {
    
	ruby {
		code => "$LOAD_PATH.unshift(File.expand_path('C:\Users\madhur_yadav\Documents\Newfolder\logstash-5.6.2\vendor\jruby\lib\ruby\gems\shared\gems\jwt-1.5.6\lib', __FILE__))
				require 'jwt'
				
					is_token_valid = 'false'
					begin
						token = event.get('logstash-forwarder-token')
						rovius_id = event.get('rovius_id')
						decoded_token = JWT.decode token, 'Eg=A}k!3]VL`d{*`#dDZd4=*', 'HS256'
						decoded_rovius_id = decoded_token[0]['prou']
						if decoded_rovius_id == rovius_id
							is_token_valid = 'true'
						else
							is_token_valid = 'false'
						end
					rescue JWT::ExpiredSignature => exception
						is_token_valid = 'false'
						puts '== ERROR 1000.0 OCCURRED =='
						puts exception.backtrace => exception
					rescue JWT::DecodeError => exception
					is_token_valid = 'false'
						puts '== ERROR 1000.1 OCCURRED =='
						puts exception.backtrace
					rescue => exception
						is_token_valid = 'false'
						puts '== ERROR 1000.2 OCCURRED =='
						puts exception.backtrace
					if is_token_valid == 'false'
						event.cancel
					end
				end"
		
	}
	
	mutate { remove_field => [ "logstash-forwarder-token" ] }
	
	if [type] not in ["acp_alerts", "acp_event", "inventory_data"]{
		grok
		{
			match => [
			  "source","\.(?<source_entity>.+)\.%{YEAR}-%{MONTHNUM}-%{MONTHDAY}.%{ISO8601_TIMEZONE:tz_offset}?"
			]
		}
	}

  if [message] == "null" or [message] == "" {
		drop { }
	}
......GROK PATTERNS.............

output {
...........................
..........................
.......................
}

My problem:

I run 3 filebeats simultaneously using only one logstash. It runs smoothly for 2-3 hours but after that it starts to show errors -
>
> [2018-01-19T15:13:07,391][ERROR][logstash.filters.ruby ] Ruby exception occurred: Detected invalid array contents due to unsynchronized modifications with concurrent users
> [2018-01-19T15:13:07,395][ERROR][logstash.filters.ruby ] Ruby exception occurred: Detected invalid array contents due to unsynchronized modifications with concurrent users
> [2018-01-19T15:13:07,398][ERROR][logstash.filters.ruby ] Ruby exception occurred: Detected invalid array contents due to unsynchronized modifications with concurrent users

I'm using 4 pipeline workers while running logstash. If I increase the pipeline worker number to 5 or more it crashes immediately.

I've tried to update ruby filter plugin, but it was of no use.I'm stuck with this for 2 weeks now and i desperately need help.any solution, suggestion, workaround or any kind of lead would be highly appreciated. :slight_smile:


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.