Here is the setup for my ELK setup. I have about 3 data shippers running on different boxes which ships the log files to central logstash server. The logstash server parses these events and outputs it to Kibana.
I have been trying so hard and not able to get to the bottom of the problem. With this whole setup I see dateParse failures in logstash config. But if I change the logstash output to files instead of elastic server I do not see dateParse failures. I can also confirm that these parsing failures are coming from multliline events in my log files (the ones with error stack trace). The surprising thing is if I process these multiline files individually, it works fine. Not sure how I can resolve this?
I have also increased my multiline interval. It has brought down error count but not resolved all the errors. I am falling short of ideas now.
Thanks! I will check how to use that on beats and would see if it resolves my problem.
Another interesting thing I noted today is, I just started filebeat on 2 servers out of 3 and there were no errors. When all the logs for 2 servers were processed I started filebeat on third server.
Presently there are no errors in my logstash.
My conclusion:- Looks like if lot of data at one go is send to logstash pipeline it messes up. If data is send gradually logstash works.
Yes I am using Logstash's multiline input so that means it cannot process lot of data at one go.
When the filebeat on each server is not started simultaneously it works, I mean there is lot of gap in starting filebeat on each server.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
