Date: Thu, 4 Oct 2018 11:35:53 +0100 From: Kernel Panic <kpnemesis@gmail.com> To: Benny Goemans <benny.goemans@belgacom.net> Cc: freebsd-ports@freebsd.org Subject: Re: Logstash failing to process messages Message-ID: <CAHYqR4KnGOhWADBYkt0L46D%2BpTXUpw-dg=hWr9P3JyxsSipx-w@mail.gmail.com> In-Reply-To: <CAHYqR4%2B=nfxdRoxh0WMerMNXDs48b8asNmdywsHrS4wbL6sQvg@mail.gmail.com> References: <CAHYqR4J4JuYs3ZCPz37jYifPoyT_NdLuNbfJxDMMx2=TTUWLQA@mail.gmail.com> <4e0c6da9-1942-8a64-cd26-89c7f3cfe6c0@belgacom.net> <CAHYqR4%2B=nfxdRoxh0WMerMNXDs48b8asNmdywsHrS4wbL6sQvg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Just as an update, we upgraded the ElasticStack to 6.3.2 a couple of months ago and Logstash has not crashed since, so whatever the problem was it appears to have been fixed in the later release. On Thu, 24 May 2018 at 13:47, Kernel Panic <kpnemesis@gmail.com> wrote: > Thanks for getting back to me, yes I suspect it has something to do with > my filters though I've no idea which one it could be as I'm filtering on > beats and syslog inputs. As a work around I've just added a cron command to > restart Logstash every morning at 01:00, though obviously that means I'm > losing non-beat events whilst it restarts. Please let me know if upgrading > to the latest versions helps you, if it doesn't then perhaps a PR needs to > be filed. > > On 24 May 2018 at 11:25, Benny Goemans <benny.goemans@belgacom.net> wrote: > >> I have seen the same issue. In my case however, I had about OOM caused by >> parsing long grok patterns. I didn't have these in 5.3 either so I suspect >> it's a memory leak somewhere. >> I have since upgraded everything to 6.x and am waiting to see if the same >> issue persists. >> >> Regards, >> Benny Goemans >> >> On 23-05-2018 17:23, Kernel Panic wrote: >> >>> Hello, I'll just list the versions before I start: >>> >>> FreeBSD 11.1 >>> >>> Logstash 6.23 >>> Elasticsearch 5.6.8 >>> Kibana 5.6.8 >>> >>> The issue I'm having is that after a few days Logstash will stop >>> processing >>> any messages; I'm using the same config file that I used with Logstash >>> 5.3.0 which worked without issue and was rock-solid. There's nothing in >>> the >>> Logstash log file apart from messages about a field in my Cisco logs >>> being >>> the wrong type and therefore failing to index, however this has always >>> been >>> the case. I have tried enabling the 'dead letter' feature in Logstash to >>> process these Cisco logs but that just makes Logstash even more unstable. >>> >>> The Logstash service doesn't actually crash, it just stops processing >>> messages and fails to respond to the restart command so I end up having >>> to >>> reboot the server. I should say though that Logstash continues to respond >>> the the monitor API commands. >>> >>> I have tried updating all Logstash plugins however that has not fixed the >>> issue. >>> >>> As I said, I never had any problems with Logstash 5.3.0 but the latest >>> version (and version 5.6.8) just seem to become unstable after a few >>> days. >>> >>> Any help is greatly appreciated. >>> _______________________________________________ >>> freebsd-ports@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports >>> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >>> >> >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHYqR4KnGOhWADBYkt0L46D%2BpTXUpw-dg=hWr9P3JyxsSipx-w>