Unknown setting 'protocol' for elasticsearch

I have just installed the HTTP Poller plugin, and I am now following the tutorial here.

As instructed by the tutorial, I am using this config:

input {
  http_poller {
    urls => {
      "localhost" => "http://localhost:8000"
    automatic_retries => 0
    # Check the site every 10s
    interval => 10
    # Wait no longer than 8 seconds for the request to complete
    request_timeout => 8
    # Store metadata about the request in this field
    metadata_target => http_poller_metadata
    # Tag this request so that we can throttle it in a filter
    tags => website_healthcheck
filter {
  # The poller doesn't set an '@host' field because it may or may not have meaning
  # In this case we can set it to the 'name' of the host which will be 'localhost'
  # The name is the key used in the poller's 'url' config
  if [http_poller_metadata] {
    mutate {
      add_field => {
        "@host" => "%{http_poller_metadata[name]}"
  # Classify slow requests
  if [http_poller_metadata][runtime_seconds] and [http_poller_metadata][runtime_seconds] > 0.5 {
    mutate {
      add_tag => "slow_request"
  # Classify requests that can't connect or have an unexpected response code
  if [http_request_failure] or
     [http_poller_metadata][code] != 200 {
     # Tag all these events as being bad
     mutate {
       add_tag => "bad_request"
 if "bad_request" in [tags] {
    # Tag all but the first message every 10m as "_throttled_poller_alert"
    # We will later drop messages tagged as such.
    throttle {
      key => "%{@host}-RequestFailure"
      period => 600
      before_count => -1
      after_count => 1
      add_tag => "throttled_poller_alert"
    # Drop all throttled events
    if "throttled_poller_alert" in [tags] {
      drop {}
    # The SNS output plugin requires special fields to send its messages
    # This should be fixed soon, but for now we need to set them here
    # For a more robust  and flexible solution (tolerant of logstash restarts)
    # Logging to elasticsearch and using the Watcher plugin is advised
    mutate {
      add_field => {
        sns_subject => "%{@host} is not so healthy! %{@tags}"
        sns_message => '%{http_request_failure}'
        codec => json
output {
  # Catch throttled messages for request failures
  # If we hit one of these, send the output to stdout
  # as well as an AWS SNS Topic
  #if "http_request_failure" in [tags] {
  #  sns {
  #    codec => json
  #    access_key_id => "YOURKEY"
  #    secret_access_key => "YOURSECRET"
  #    arn => "arn:aws:sns:us-east-1:773216979769:logstash-test-topic"
  #  }
  elasticsearch {
    protocol => http
  stdout {
    codec => rubydebug

I saved the contents above inside a file called http-pipeline.config, which is stored inside the bin folder for logstash.

When I run the command logstash -f http-pipeline.conf, I see the following output:

Sending Logstash logs to C:/Users/Miao/Downloads/logstash-6.7.0/logs which is now configured via log4j2.properties
[2019-04-01T11:28:24,916][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-04-01T11:28:24,947][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.7.0"}
[2019-04-01T11:28:36,623][ERROR][logstash.outputs.elasticsearch] Unknown setting 'protocol' for elasticsearch
[2019-04-01T11:28:36,654][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Something is wrong with your configuration.", :backtrace=>["C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/config/mixin.rb:86:in `config_init'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/outputs/base.rb:60:in `initialize'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:232:in `initialize'", "org/logstash/config/ir/compiler/OutputDelegatorExt.java:48:in `initialize'", "org/logstash/config/ir/compiler/OutputDelegatorExt.java:30:in `initialize'", "org/logstash/plugins/PluginFactoryExt.java:239:in `plugin'", "org/logstash/plugins/PluginFactoryExt.java:184:in `plugin'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/pipeline.rb:71:in `plugin'", "(eval):168:in `initialize'", "org/jruby/RubyKernel.java:1047:in `eval'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/pipeline.rb:49:in `initialize'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/pipeline_action/create.rb:43:in `block in execute'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:96:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in `synchronize'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:96:in `exclusive'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/pipeline_action/create.rb:39:in `execute'", "C:/Users/Miao/Downloads/logstash-6.7.0/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}
[2019-04-01T11:28:37,201][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

How can I fix the error Unknown setting 'protocol' for elasticsearch?

Delete the line "protocol => http".

I think that in 2015, when that blog post was written, the elasticsearch output supported the node protocol in addition to the http protocol. It now only supports the http protocol, so you do not need to tell it what protocol to use. See here, from 2016.

Thank you for your reply. I have deleted that line as you suggested. :slight_smile:

I have run into another issue pertaining to the same tutorial, and I have posted about it here. If you have time, will you also kindly take a look there and give me some advice? Thank you very much in advance!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.