Logstash Troubleshooting
Checking the Status of the Starting Service
Run following commands to make sure that the service has started completely:
# To view the status of service starting.
systemctl status logstash@<instance-name>
# To view log of service starting to ensure the service is started without issue.
journalctl -u logstash@<instance-name>
Checking the Configuration of the Installed Logstash
The configuration of Logstash is stored in the /var/opt/logstash/<instance-name>/settings* directory by default.
vi /var/opt/logstash/<instance-name>/settings/logstash.yml
Viewing the Logstash Logs
For the purpose of testing and debugging, you can view the logs while starting the service:
tail -f /var/opt/logstash/<instance-name>/logs/logstash-plain.log
Issue: Logstash is Running but not Storing Logs in Elasticsearch
The Logstash logs may contain the following errors:
Attempted to send a bulk request to elasticsearch, but no there are no living connections in the connection pool. Perhaps Elasticsearch is unreachable or down? {:error_message=>"No Available connections", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError", :will_retry_in_seconds=>4}
Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}
These errors occur because either the Elasticsearch is not reachable or the Logstash configuration is pointing to a wrong host.
To solve this issue:
- Ensure that Elasticsearch is running, see Elasticsearch troubleshooting.
- Check the Logstash output configuration stored in the directory
/var/opt/logstash/<instance-name>/conf/outputsto verify if the line host => localhost:9200 points to the right host:
output {
elasticsearch {
hosts => localhost:9200
...