I set up a graylog stack (graylog / ES/ Mongo) everything went smooth (well almost), yesterday I tried to get some info using the following command :
curl 'http://127.0.0.1:9200/_nodes/process?pretty'
{
"cluster_name" : "log_server_graylog",
"nodes" : {
"Znz_72SZSyikw6DEC4Wgzg" : {
"name" : "graylog-27274b66-3bbd-4975-99ee-1ee3d692c522",
"transport_address" : "127.0.0.1:9350",
"host" : "127.0.0.1",
"ip" : "127.0.0.1",
"version" : "2.4.4",
"build" : "fcbb46d",
"attributes" : {
"client" : "true",
"data" : "false",
"master" : "false"
},
"process" : {
"refresh_interval_in_millis" : 1000,
"id" : 788,
"mlockall" : false
}
},
"XO77zz8MRu-OOSymZbefLw" : {
"name" : "test",
"transport_address" : "127.0.0.1:9300",
"host" : "127.0.0.1",
"ip" : "127.0.0.1",
"version" : "2.4.4",
"build" : "fcbb46d",
"http_address" : "127.0.0.1:9200",
"process" : {
"refresh_interval_in_millis" : 1000,
"id" : 946,
"mlockall" : false
}
}
}
}
I does look like (to me at least that there is 2 nodes running, someone on the ES IRC told me that there might be a transport client running (which show up as a second node)...
I really don't understand why where this transport client comes from, also, the guy from IRC told me it used to be a common setup (using transport client) but this is discouraged now, how can I reverse the config to follow ES best practices ? (which I couldn't find on the docs)
FYI, my config file :
cat /etc/elasticsearch/elasticsearch.yml
cluster.name: log_server_graylog
node.name: test
path.data: /tt/elasticsearch/data
path.logs: /tt/elasticsearch/log
network.host: 127.0.0.1
action.destructive_requires_name: true
# Folowing are useless as we are defining swappiness to 1, this shloud prevent ES memeory space from being sawpped, unless emergency
#bootstrap.mlockall: true
#bootstrap.memory_lock: true
Thanks
I found the answer using the graylog IRC, the second client is the graylog client created by.... Graylog server :)
So everything is normal and as expected.
Related
I have an Elasticsearch and Kibana Helm charts deployed on my Kubernetes cluster for a couple of years now, and I've been working with Kibana's Dev Tools to query my Elasticsearch.
Since a few days ago I started to get the following error when running any query from Kibana's Dev Tools:
{"statusCode":502,"error":"Bad Gateway","message":"certificate has expired"}
But when I try using curl command or simply opening the browser and entering my Elasticsearch's url and some uri it works and I get anything I need.
Moreover, when I try to fetch the /_ssl/certificates field it says that the certificate's expiry is in about a year so I do get to see that the used certificate is valid, but still for some reason I get 'certificate expired' from the Dev Tools.
Anyone knows if there are other certificates used I should check?
Edit: Adding output of field /_ssl/certificates:
$ curl -k -u elastic:*** "https://localhost:9200/_ssl/certificates?pretty"
[
{
"path" : "/usr/share/elasticsearch/config/certs/tls.crt",
"format" : "PEM",
"alias" : null,
"subject_dn" : "CN=***, O=***, L=***, ST=***, C=***",
"serial_number" : "***",
"has_private_key" : true,
"expiry" : "2024-01-19T23:59:59.000Z"
},
{
"path" : "/usr/share/elasticsearch/config/certs/tls.crt",
"format" : "PEM",
"alias" : null,
"subject_dn" : "CN=***, O=***, L=***, ST=***, C=***",
"serial_number" : "***",
"has_private_key" : false,
"expiry" : "2024-01-19T23:59:59.000Z"
},
{
"path" : "/usr/share/elasticsearch/config/certs/tls.crt",
"format" : "PEM",
"alias" : null,
"subject_dn" : "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
"serial_number" : "***",
"has_private_key" : false,
"expiry" : "2031-04-13T23:59:59.000Z"
},
{
"path" : "/usr/share/elasticsearch/config/certs/tls.crt",
"format" : "PEM",
"alias" : null,
"subject_dn" : "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
"serial_number" : "***",
"has_private_key" : false,
"expiry" : "2031-11-10T00:00:00.000Z"
}
]
Note: Replaced sensitive information with '***'.
It looks like SSL certificates on one or more nodes have expired. To find that node go to kibana.yml and check elasticsearch.hosts. Which node Kibana is querying, that node's certificate has expired.
You can renew the certificate with the help of this article.
I recently developed a C# web app that produce and consume messages on a RabbitMQ exchange of topic type, everything is working very good. Than I decided to use the ELK stack to analyze the RabbitMQ logs and it also working very good as expected, than my troubles starts when I decided to try to log all the messages that are produced and consumed.
I followed this guide to deploy the ELK stack.
How to Install ELK Stack on Debian 9
Than my trouble started..
this is an extract of the curl -XGET 'localhost:9200'
{
"name" : "dvv7m8h",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "545-XOzEQ7W2C982ISVnng",
"version" : {
"number" : "6.8.4",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "bca0c8d",
"build_date" : "2019-10-16T06:19:49.319352Z",
"build_snapshot" : false,
"lucene_version" : "7.7.2",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
and as the official documentation states (
Rabbitmq input plugin) I need to enable the plugin by running this command bin/logstash-plugin install logstash-input-rabbitmq, but there is no bin/logstash-plugin command available for me! I tried to look nearly everywhere on the world wide web but after three days still no results. As reference I'll post my logstash config file as well.
input {
rabbitmq {
host => 'xxx.yyy.zz.nn:5672'
exchange => "my_exchange"
exchange_type => "topic"
id => "rabb"
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "rabtest-%{+YYYY.MM.dd}"
}
}
Can anyone tell me what I'm missing? Is the plugin already shipped as a bundle inside logstash v.6.8.x? Why I don't have there forementioned command to install the plugin? Thanks.
I can ssh to the Hadoop Cluster and can run the hbase command. But I need to connect using the Phoenix JDBC driver which needs the IP address of the HBase server.
I tried the IP address I used for the cluster with no luck.
This is probably just a generic Hadoop question but where are the IP addresses configured?
If you are aware of the hadoop cluster namenodes, then you can try pinging them or send a curl request like below
curl 'http://my-namenode-lv-101:50070/jmx?qry=Hadoop:service=NameNode,name=NameNodeStatus'
{
"beans" : [ {
"name" : "Hadoop:service=NameNode,name=NameNodeStatus",
"modelerType" : "org.apache.hadoop.hdfs.server.namenode.NameNode",
"SecurityEnabled" : false,
"NNRole" : "NameNode",
"HostAndPort" : "my-namenode-lv-101:8020",
"LastHATransitionTime" : 1561605051455,
"State" : "standby"
} ]
}
If the state is Standby, then that is the current inactive node, you have to try the other nodes to find for which the State says 'active' ... example below:
curl 'http://my-namenode-lv-102:50070/jmx?qry=Hadoop:service=NameNode,name=NameNodeStatus'
{
"beans" : [ {
"name" : "Hadoop:service=NameNode,name=NameNodeStatus",
"modelerType" : "org.apache.hadoop.hdfs.server.namenode.NameNode",
"State" : "active",
"SecurityEnabled" : false,
"NNRole" : "NameNode",
"HostAndPort" : "my-namenode-lv-102:8020",
"LastHATransitionTime" : 1561605054944
} ]
}
To connect to phoenix-hbase use the zookeeper address, port & zookeeper.znode.parent configuration's value which is configured in your cluster. (it can be found in your hbase-site.xml file)
Let's say I have the following documents (containing logs) in Elasticsearch index:
PUT logs/_doc/1
{
"commonId" : "111111",
"comment" : "abc",
"phase" : "start"
}
PUT logs/_doc/2
{
"commonId" : "111111",
"comment" : "cde",
"customerNumber" : "234-333"
}
PUT logs/_doc/3
{
"commonId" : "222222",
"comment" : "efg",
"phase" : "stop"
}
PUT logs/_doc/4
{
"commonId" : "222222",
"comment" : "jkl",
"customerNumber" : "234-555"
}
The thing which is common in all logs is commonId attribute.
Problem is:
I want process logs in a way:
All logs with same commonId should exchange each other with missing attributes. So log=1 should add "customerNumber" : "234-333", and log=2 should add "phase" : "start". Same situation with logs=3 and 4.
Is it possible to do this by any Elasticsearch query? Generaly I'm not iterested in any paid option of X-Pack.
I'm having issues with connecting from my Go client to my es node.
I have elasticsearch behind an nginx proxy that sets basic auth.
All settings are default in ES besides memory.
Via browser it works wonderfully, but not via this client:
https://github.com/olivere/elastic
I read the docs and it says it uses the /_nodes/http api to connect. Now this is probably where I did something wrong because the response from that api looks like this:
{
"_nodes" : {
"total" : 1,
"successful" : 1,
"failed" : 0
},
"cluster_name" : "elasticsearch",
"nodes" : {
"u6TqFjAvRBa3_4FndfKh4w" : {
"name" : "u6TqFjA",
"transport_address" : "127.0.0.1:9300",
"host" : "127.0.0.1",
"ip" : "127.0.0.1",
"version" : "5.6.2",
"build_hash" : "57e20f3",
"roles" : [
"master",
"data",
"ingest"
],
"http" : {
"bound_address" : [
"[::1]:9200",
"127.0.0.1:9200"
],
"publish_address" : "127.0.0.1:9200",
"max_content_length_in_bytes" : 104857600
}
}
}
}
I'm guessing I have to set the IPs to my actual IP/domain (my domain is like es01.somedomain.com)
So how do i correctly configure elastisearch so that my go client can connect?
My config files for nginx look similar to this: https://www.elastic.co/blog/playing-http-tricks-nginx
Edit: I found a temporary solution by setting elastic.SetSniff(false) in the Options for the client, but I think that means I can't scale ES horizontally. So still looking for an alternative.
You are looking for the HTTP options, specifically http.publish_host and http.publish_port, which should be set to the publicly reachable address and port of the Nginx server proxying the ES node.
Note that with Elasticsearch listening on 127.0.0.1:9300 for the transport, you won't be able to form a cluster with nodes on other hosts. The transport can be configured similarly with the transport options.