X-pack installation with logstash

hi... I have been trying to install x pack in my ELK cluster of 3 nodes. I have elasticsearch on all 3 nodes in logstash and kibana in 1 node which I operate physically and rest using ssh server . I have installed x pack in ES of all nodes and in kibana and logstash . ES and kibana is working fine and I am able to use new functionalities on pre-loaded data . When I start logstash to pump new data into ES , it shows error.

[2017-06-13T16:37:44,413][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x7de13e33 URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
[2017-06-13T16:37:44,596][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}

In spite of this error .. it is pumping data into ES . Config file is -

input {
file {
path => "/home/mywavia/Desktop/original/sample.txt"
start_position => "beginning"
}
}
filter {

grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
geoip {
source => "clientip"
}
}
output {
elasticsearch { hosts=>["master","slave-1","slave-2"]
user => elastic
password => changeme
}

}
I had followed this document- https://www.elastic.co/guide/en/x-pack/current/installing-xpack.html
Can anyone suggest what's the problem ???

Have you configured the logstash.yml file according to these instructions? It seems odd that there is no link to this page though. I will create an issue for this.

i have added these lines into logstash.yml
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.url: ["192.168.2.157:9200","192.168.2.158:9200","192.168.2.156:9200"]
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: changeme

@Christian_Dahlqvist I have followed your link to configure Logstash .. and I have appended these lines into logstash.yml =>

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.url: ["http//master:9200","http//slave-2:9200","http//slave-1:9200"]
xpack.monitoring.elasticsearch.username: logstash_internal
xpack.monitoring.elasticsearch.password: changeme

Since , I have not enabled SSL/TLS so I skipped 3rd point of https://www.elastic.co/guide/en/x-pack/current/monitoring-logstash.html .

I am still getting the same error .

can you start logstash with --log.level=debug and send me the logs of the first couple of minutes? you can pm a private pastebin link or a gist if you want

Just to double check, the url hosts you've shown above aren't correct urls since they're missing the : character. So instead of:

xpack.monitoring.elasticsearch.url: ["http//master:9200","http//slave-2:9200","http//slave-1:9200"]

should be

xpack.monitoring.elasticsearch.url: ["http://master:9200","http://slave-2:9200","http://slave-1:9200"]

Hi .. thanks for your reply.

I have updated my logtash.yml . Now it's working fine . It's pumping data into ES . But it' s still giving some warnings .
Warnings are -

[2017-06-20T11:01:07,501][INFO ][logstash.pipeline ] Pipeline .monitoring-logstash started
[2017-06-20T11:01:07,544][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://master:9200/, http://slave-1:9200/, http://slave-2:9200/]}}
[2017-06-20T11:01:07,546][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://master:9200/, :path=>"/"}
[2017-06-20T11:01:07,632][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x180062b8 URL:http://master:9200/>}
[2017-06-20T11:01:07,632][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://slave-1:9200/, :path=>"/"}
[2017-06-20T11:01:07,655][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x2c86d8f4 URL:http://slave-1:9200/>}
[2017-06-20T11:01:07,656][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://slave-2:9200/, :path=>"/"}
[2017-06-20T11:01:07,709][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>#<URI::HTTP:0x1095b0b4 URL:http://slave-2:9200/>}
[2017-06-20T11:01:07,710][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2017-06-20T11:01:07,970][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2017-06-20T11:01:07,982][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::Elasticsearch", :hosts=>[#<URI::Generic:0x7cc6648c URL://master>, #<URI::Generic:0x20fef014 URL://slave-1>, #<URI::Generic:0x72e7904d URL://slave-2>]}
[2017-06-20T11:01:08,031][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/home/mywavia/Downloads/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.0.4-java/vendor/GeoLite2-City.mmdb"}
[2017-06-20T11:01:08,106][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>250}
[2017-06-20T11:01:08,501][INFO ][logstash.pipeline ] Pipeline main started
[2017-06-20T11:01:08,605][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2017-06-20T11:01:12,463][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2017-06-20T11:01:12,468][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x3e9569e6 URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
[2017-06-20T11:01:12,500][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2017-06-20T11:01:12,504][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x6f63f27a URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
[2017-06-20T11:01:17,471][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2017-06-20T11:01:17,486][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x542d53e8 URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
[2017-06-20T11:01:17,506][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
[2017-06-20T11:01:17,514][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x2bb4dc7 URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
[2017-06-20T11:01:17,534][WARN ][logstash.outputs.elasticsearch] Marking url as dead. Last error: [LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError] Elasticsearch Unreachable:

and So on.
But I can't see logstash instance in monitoring and management section through kibana.
here is the scrrenshot ->

1847×564 29.1 KB

Monitoring section is giving this->

1216×435 17.6 KB

Can you help me with this >

It's corresponding kibana trash is -

log [05:31:19.843] [info][status][ui settings] Status changed from uninitialized to green - Ready
request [05:31:55.504] [error][monitoring-ui] TypeError: Cannot read property 'type' of null
at clusters.reduce (/home/mywavia/kibana-5.4.0-linux-x86_64/plugins/x-pack/plugins/monitoring/server/cluster_alerts/alerts_clusters_aggregation.js:95:73)
at Array.reduce (native)
at callWithRequest.then.result (/home/mywavia/kibana-5.4.0-linux-x86_64/plugins/x-pack/plugins/monitoring/server/cluster_alerts/alerts_clusters_aggregation.js:67:21)
at tryCatcher (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/util.js:26:23)
at Promise._settlePromiseFromHandler (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/promise.js:503:31)
at Promise._settlePromiseAt (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/promise.js:577:18)
at Promise._settlePromises (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/promise.js:693:14)
at Async._drainQueue (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/async.js:123:16)
at Async._drainQueues (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/async.js:133:10)
at Immediate.Async.drainQueues (/home/mywavia/kibana-5.4.0-linux-x86_64/node_modules/bluebird/js/main/async.js:15:14)
at runCallback (timers.js:666:20)
at tryOnImmediate (timers.js:639:5)
at processImmediate [as _immediateCallback] (timers.js:611:5)

can you show me the pipeline configuration you're using, or even just the output section of it?

yeah ..

Right now , I have disabled x pack security . I have added my hosts file and system recognizes master , slave-1 and slave-2.

interesting, I don't see where the localhost is coming from if both your pipeline and xpack settings pointed to master/slave hostnames

yeah . i haven't mentioned localhost anywhere . I have used IP instead of localhost . I don't know why it is still going to localhost .

everything (es,ls,kibana) is version 5.4.0 right? I suggest that you run with --log.level=debug --debug.config and post the first few minutes of logging. please obscure anything you don't want shown in the logs, or send them privately

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.