Don't receive alerts after reboot

[tthomasb]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

70 GB

Storage for /nsm

130 GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello there, after a reboot I don't receive any alerts.

The logs on the sensor logs everything fine. The logs of the manager I will provide down here. I also provide some additional information in the comment section. Installed system is a distributed system with one managersearch and one sensor.

sudo so-log-check (just the logs with informations):

Checking container "so-elastalert":
...
Reading index mapping 'es_mappings/8/elastalert_error.json'

Checking container "so-elastic-fleet"
...
Error: context canceled

Checking container "so-dockerregistry"
...
time="2024-03-20T10:55:59.20758766Z" level=info msg="Purge uploads finished. Num deleted=0, num errors=0"

Checking log file /opt/so/log/influxdb/influxdb.log
...
ts=2024-03-21T09:33:02.176099Z lvl=info msg="http: TLS handshake error from 127.0.0.1:54448: EOF" log_id=0o1ambp0000 service=http

Checking log file /opt/so/log/telegraf/telegraf.log

2024-03-21T00:01:30Z E! [inputs.exec] Error in plugin: metric parse error: expected field at 1:19: "influxsize kbytes="
2024-03-21T00:02:00Z E! [inputs.exec] Error in plugin: metric parse error: expected field at 1:19: "influxsize kbytes="
2024-03-21T08:59:30Z E! [inputs.logstash] Error in plugin: Get "http://localhost:9600/_node/stats/pipelines": dial tcp 127.0.0.1:9600: connect: connection refused

Checking log file /opt/so/log/logstash/logstash.log

[2024-03-21T09:33:41,305][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:in block in send_command'", "org/jruby/ext/monitor/Monitor.java:82:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:in send_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1587:in each'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in block in multi_receive'", "org/jruby/RubyArray.java:1987:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:in block in start_workers'"]}

[2024-03-21T09:33:41,305][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not allowed when used memory > 'maxmemory'.>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:in block in send_command'", "org/jruby/ext/monitor/Monitor.java:82:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:in send_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1587:in each'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in block in multi_receive'", "org/jruby/RubyArray.java:1987:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:in block in start_workers'"]}

Any idea what's going on?

Kind regards

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[tthomasb]

Test on the manager:

• so-status -> Everything running
• sudo salt * state.highstate -> 0 Failed
• watch 'sudo so-redis-count' -> Always 0
• sudo salt * elastic-agent status -> managersearch/sensor both not available
• sudo salt * cmd.run "elastic-agent status" -> Fleet/Agent both Connected/running
• sudo salt * test.ping -> Managersearch/ Sensor = True

Test on the sensor:

• so-status -> Everything running
• Receive alerts in /nsm/suricata

Test on both:

• Another reboot didn't help

[tthomasb]

Thanks for your reply!

It's one manager search node and one sensor node, so there is no single or multiple search nodes. Here is the logstash log from the manager search node. It's always this two warnings.

[2024-03-22T14:56:46,049][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:>
[2024-03-22T14:56:46,049][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not allowed when used >

[cm-ops]

Do you see any errors/issues in the Elasticsearch log at /opt/so/log/elasticsearch?

[tthomasb]

Sorry for the late reply. No errors/issues inside the elasticsearch... There are just update role messages.

[tuamortemo]

I have the same problem. There are also no obvious problems in the logs. Try restarting elastic-agent after reboot, or after reboot and starting all containers in so-status. in my case, it helped

[tthomasb]

Thanks for your answer @tuamortemo, but in my case it doesn't helped...

[tthomasb]

Tried to fix the problem with the update to 2.4.60. Update works fine, but the issue is the same...

[cm-ops]

Check your logstash log after the upgrade, do you still see the same errors? If so, what do the pipelines output in these commands:

sudo so-logstash-pipeline-stats manager
sudo so-logstash-pipeline-stats search

[tthomasb]

Hey thanks for the answer. Here is the output of the pipeline. I will check again the errors and send them below. But the problem is still the same. I don't recieve alerts at the managersearch.

sudo so-logstash-pipeline-stats manager
{
"events": {
"filtered": 0,
"duration_in_millis": 4773491870,
"in": 2006,
"out": 0,
"queue_push_duration_in_millis": 3579981533
},
"flow": {
"filter_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
},
"worker_concurrency": {
"current": 8.0,
"last_1_minute": 8.0,
"last_5_minutes": 8.0,
"last_15_minutes": 8.0,
"last_1_hour": 8.0,
"last_24_hours": 8.0,
"lifetime": 8.0
},
"output_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
},
"queue_backpressure": {
"current": 6.0,
"last_1_minute": 6.0,
"last_5_minutes": 6.0,
"last_15_minutes": 6.0,
"last_1_hour": 6.0,
"last_24_hours": 6.0,
"lifetime": 6.0
},
"input_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.003362
}
},
"plugins": {
"inputs": [
{
"id": "fleet-lumberjack-in",
"name": "beats",
"flow": {
"throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
}
},
"events": {
"out": 0,
"queue_push_duration_in_millis": 0
}
},
{
"id": "endgame_data",
"name": "http",
"flow": {
"throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
}
},
"events": {
"out": 0,
"queue_push_duration_in_millis": 0
}
},
{
"id": "2c2e672586354ec42257703878815d06df1108b8360d922400747bbdf536fbcc",
"name": "beats",
"flow": {
"throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.003362
}
},
"peak_connections": 6,
"events": {
"out": 2006,
"queue_push_duration_in_millis": 3579981531
},
"current_connections": 6
}
],
"codecs": [
{
"id": "json_7d690225-f77b-46b9-b3e6-34056c11f6ed",
"name": "json",
"encode": {
"writes_in": 1,
"duration_in_millis": 596686609
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "json_6e102987-a1dd-491e-aef6-6123fba4e3ee",
"name": "json",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "es_bulk_d7d6a965-111d-4c56-98f1-fd8cf38438b8",
"name": "es_bulk",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "plain_ceff3fdd-61eb-4621-b0a6-e30a0486f037",
"name": "plain",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
}
],
"filters": [
{
"id": "c369f92f1220b24e8dd4032dc66de89f123553d695d242ceb0ee86feb6ccfb2e",
"name": "mutate",
"flow": {
"worker_millis_per_event": {
"lifetime": 0.092
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.000001927
}
},
"events": {
"duration_in_millis": 92,
"in": 1000,
"out": 1000
}
},
{
"id": "decf560aab637a613e7d4e22ca1ef7e9d20a0c91e74924ba125db3c41682cb07",
"name": "mutate",
"flow": {
"worker_millis_per_event": {},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
}
},
"events": {
"duration_in_millis": 0,
"in": 0,
"out": 0
}
}
],
"outputs": [
{
"id": "478479e36364c835825ed1bc0d12bb9bcc310ea75f7e471b1bcc7abe30ace677",
"name": "redis",
"flow": {
"worker_millis_per_event": {
"current": "Infinity",
"last_1_minute": "Infinity",
"last_5_minutes": "Infinity",
"last_15_minutes": "Infinity",
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": 4773000.0
},
"worker_utilization": {
"current": 100.0,
"last_1_minute": 100.0,
"last_5_minutes": 100.0,
"last_15_minutes": 100.0,
"last_1_hour": 100.0,
"last_24_hours": 100.0,
"lifetime": 100.0
}
},
"events": {
"duration_in_millis": 4773491762,
"in": 1000,
"out": 0
}
}
]
},
"reloads": {
"successes": 0,
"last_failure_timestamp": null,
"failures": 0,
"last_success_timestamp": null,
"last_error": null
},
"queue": {
"type": "memory",
"events_count": 0,
"queue_size_in_bytes": 0,
"max_queue_size_in_bytes": 0
},
"hash": "75d4f5cfaff3a639fb2b9ba4f63967b91f966451d1723acafa736c7d8f3bb2a5",
"ephemeral_id": "c2e1c4ce-cf3b-495b-8a6b-c987899e5eea"
}

sudo so-logstash-pipeline-stats search
{
"events": {
"filtered": 0,
"duration_in_millis": 8298,
"in": 0,
"out": 0,
"queue_push_duration_in_millis": 0
},
"flow": {
"filter_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
},
"worker_concurrency": {
"current": 0.0,
"last_1_minute": 0.00001626,
"last_5_minutes": 0.00001327,
"last_15_minutes": 0.00001302,
"last_1_hour": 0.00001272,
"last_24_hours": 0.0000135,
"lifetime": 0.00001391
},
"output_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
},
"queue_backpressure": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
},
"input_throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
}
},
"plugins": {
"inputs": [
{
"id": "b75a8f5c90198c374d44b424c25f40fd9692e5e4810a1014c56404e5ded05e7b",
"name": "redis",
"flow": {
"throughput": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.0,
"last_24_hours": 0.0,
"lifetime": 0.0
}
},
"events": {
"out": 0,
"queue_push_duration_in_millis": 0
}
}
],
"codecs": [
{
"id": "plain_59562dd1-fb87-4a49-93a7-d194209573d1",
"name": "plain",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "plain_68a91b3a-0d1b-4708-9e46-1a77faf99f7f",
"name": "plain",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "plain_b462994e-fbcd-487f-ae17-ce947a1513b1",
"name": "plain",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "plain_e5f590b6-971f-43b1-8544-fdd6dec78a68",
"name": "plain",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
},
{
"id": "json_fb1e9794-a9aa-454e-83fd-91f591375840",
"name": "json",
"encode": {
"writes_in": 0,
"duration_in_millis": 0
},
"decode": {
"writes_in": 0,
"duration_in_millis": 0,
"out": 0
}
}
],
"filters": [
{
"id": "cd8eb8dc4b7947865c4968333d8c1fae20fdcbb62174e7676429cfd15fb3735c",
"name": "mutate",
"flow": {
"worker_millis_per_event": {
"last_5_minutes": "Infinity",
"last_15_minutes": "Infinity",
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": "Infinity"
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.00004145,
"last_15_minutes": 0.00004069,
"last_1_hour": 0.00003456,
"last_24_hours": 0.0000363,
"lifetime": 0.00003951
}
},
"events": {
"duration_in_millis": 1886,
"in": 0,
"out": 0
}
}
],
"outputs": [
{
"id": "e8cb7674d9a99fb67b9bf9d05455f2c418ab8ecf3bce03486c082758e29d1917",
"name": "elasticsearch",
"flow": {
"worker_millis_per_event": {
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": "Infinity"
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.000003456,
"last_24_hours": 0.000005061,
"lifetime": 0.000005426
}
},
"events": {
"duration_in_millis": 259,
"in": 0,
"out": 0
}
},
{
"id": "94416e90af6ff7046ed52a4e58a0fda1314c52972ef41f69966fec2afa8342db",
"name": "elasticsearch",
"flow": {
"worker_millis_per_event": {
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": "Infinity"
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.000003456,
"last_24_hours": 0.000005061,
"lifetime": 0.000005069
}
},
"events": {
"duration_in_millis": 242,
"in": 0,
"out": 0
}
},
{
"id": "c6bc53dc8d89aba8a752817c27f7456d06ce6b2a58e4b3c7097276446f10b5ce",
"name": "elasticsearch",
"flow": {
"worker_millis_per_event": {
"last_5_minutes": "Infinity",
"last_15_minutes": "Infinity",
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": "Infinity"
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.00004145,
"last_15_minutes": 0.00005425,
"last_1_hour": 0.00005875,
"last_24_hours": 0.00006204,
"lifetime": 0.00006134
}
},
"events": {
"duration_in_millis": 2928,
"in": 0,
"out": 0
}
},
{
"id": "endgame_es_output",
"name": "elasticsearch",
"flow": {
"worker_millis_per_event": {
"last_1_hour": "Infinity",
"last_24_hours": "Infinity",
"lifetime": "Infinity"
},
"worker_utilization": {
"current": 0.0,
"last_1_minute": 0.0,
"last_5_minutes": 0.0,
"last_15_minutes": 0.0,
"last_1_hour": 0.000003456,
"last_24_hours": 0.000004627,
"lifetime": 0.000004797
}
},
"events": {
"duration_in_millis": 229,
"in": 0,
"out": 0
}
}
]
},
"reloads": {
"successes": 0,
"last_failure_timestamp": null,
"failures": 0,
"last_success_timestamp": null,
"last_error": null
},
"queue": {
"type": "memory",
"events_count": 0,
"queue_size_in_bytes": 0,
"max_queue_size_in_bytes": 0
},
"hash": "431ffe62a39abfd5ff6f3591e0d0c94ecbb6944433b9dcd7231da4e36ccfd9e6",
"ephemeral_id": "f9fac292-4c01-4a9a-ab9c-9b2c90ba7e1a"
}

[tthomasb]

The managersearch. I skipped the empty logs and duplicated errors.

[user@managersearch]$ sudo so-log-check
Security Onion Log Check - Thu Apr 11 01:27:00 PM UTC 2024

• RECENT_LOG_LINES: 200
• EXCLUDE_STARTUP_ERRORS: N
• EXCLUDE_FALSE_POSITIVE_ERRORS: N
• EXCLUDE_KNOWN_ERRORS: N

Checking container "so-elastalert"

Reading index mapping 'es_mappings/8/elastalert_error.json'

Checking container "so-dockerregistry"

time="2024-04-05T15:16:55.969668304Z" level=info msg="Purge uploads finished. Num deleted=0, num errors=0"

Checking log file /opt/so/log/kratos/kratos.log

{"audience":"audit","error":{"debug":"","message":"request does not have a valid authentication session","reason":"No active session was found in this request.","stack_trace":"\ngithub.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest\n\t/go/src/github.com/ory/kratos/session/manager_http.go:236\ngithub.com/ory/kratos/session.(*Handler).whoami\n\t/go/src/github.com/ory/kratos/session/handler.go:215\ngithub.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1\n\t/go/src/github.com/ory/kratos/x/nocache.go:21\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:185\ngithub.com/urfave/negroni.(*Negroni).UseHandler.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/go/src/github.com/ory/kratos/x/clean_url.go:15\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/cmd/daemon.servePublic.func1\n\t/go/src/github.com/ory/kratos/cmd/daemon/serve.go:111\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:284\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:142\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:92\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:234\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/ory/x/prometheusx.Metrics.Instrument.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.614/prometheusx/metrics.go:115\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2136\ngithub.com/ory/x/prometheusx.(MetricsManager).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.614/prometheusx/middleware.go:41\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.614/metricsx/middleware.go:272\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38","status":"Unauthorized","status_code":401},"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"de,en-US;q=0.7,en;q=0.3","connection":"close","cookie":"Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true".","if-modified-since":"Tue, 19 Mar 2024 18:07:37 GMT","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0","x-forwarded-for":"193.196.188.222","x-forwarded-proto":"https","x-real-ip":"193.196.188.222"},"host":"10.100.79.2","method":"GET","path":"/sessions/whoami","query":null,"remote":"172.17.1.1:60654","scheme":"http"},"level":"info","msg":"No valid session found.","service_name":"Ory Kratos","service_version":"v1.1.0","time":"2024-04-11T13:24:34.420818832Z"}

Checking log file /opt/so/log/influxdb/influxdb.log

ts=2024-04-11T10:25:07.757629Z lvl=info msg="http: TLS handshake error from 127.0.0.1:47532: EOF" log_id=0oMRZ5H0000 service=http

Checking log file /opt/so/log/telegraf/telegraf.log
2024-04-11T00:01:30Z E! [inputs.exec] Error in plugin: metric parse error: expected field at 1:19: "influxsize kbytes="

Checking log file /opt/so/log/logstash/logstash.log

[2024-04-11T13:27:00,801][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:in block in send_command'", "org/jruby/ext/monitor/Monitor.java:82:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:in send_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1587:in each'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in block in multi_receive'", "org/jruby/RubyArray.java:1987:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:in block in start_workers'"]}
[2024-04-11T13:27:00,801][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not allowed when used memory > 'maxmemory'.>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:in block in send_command'", "org/jruby/ext/monitor/Monitor.java:82:in synchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:in send_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:in rpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:in flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:in block in buffer_flush'", "org/jruby/RubyHash.java:1587:in each'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:in send_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:in encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in encode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in block in multi_receive'", "org/jruby/RubyArray.java:1987:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:in multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:in block in start_workers'"]}

[M4jx]

Same issue with standalone fresh deployment 2.4.60-20240320.
No alerts and no data in dashboard.
so-log-check shows same results you posted.

[tthomasb]

@M4jx if you find a solution before this is answered. Pls let me know

[M4jx]

@tthomasb the installation is working for me now (even though it is showing installation failed at the end of the installation process #12806).
Usually, when I perform the installation, the SPAN port is already enabled in the router and connected to the sniffing NIC. However, this time, I have disabled the SPAN port from my router and performed the installation and then re-enabled it after the installation is done.
I don't think this is the reason it did not work, but you can give it a shot. In your case, try to unplug the cable from your sniffing NIC and reboot, then plug it in again when the grid has booted successfully.

[tthomasb]

I will give it a try. Thank you!

[tthomasb]

In my case it doesn't work...

[cm-ops]

Can you restart Logstash and share the whole logstash.log after restart please? Looks like events are making it to the Redis output and stopping there.

[tthomasb]

Hey @cm-ops, thanks again for the reply. After "Failed to flush outgoing items" and "Failed to send backlog of events to Redis" there are just this two messages all the way down.

[2024-04-12T14:16:12,180][WARN ][logstash.runner          ] SIGTERM received. Shutting down.
[2024-04-12T14:16:12,339][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:12,339][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:13,341][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:13,342][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:14,344][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:14,344][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:15,345][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:15,346][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:15,592][INFO ][logstash.javapipeline    ] Pipeline terminated {"pipeline.id"=>"search"}
[2024-04-12T14:16:16,203][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:search}
[2024-04-12T14:16:16,347][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:16,348][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:17,349][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:17,349][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:18,351][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:18,351][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:19,354][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:19,354][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:20,355][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:20,356][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:16:21,358][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>1, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/>
[2024-04-12T14:16:21,358][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:17:02,718][INFO ][logstash.runner          ] Log4j configuration path used is: /usr/share/logstash/config/log4j2.properties
[2024-04-12T14:17:02,722][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.10.4", "jruby.version"=>"jruby 9.4.2.0 (3.1.0) 2023-03-08 90d2913fda OpenJDK 64-Bit Server VM 17.0.8+7 on 17.0.8+7 +jit [x86_6>
[2024-04-12T14:17:02,723][INFO ][logstash.runner          ] JVM bootstrap flags: [-Dlog4j2.formatMsgNoLookups=true, -Xms1000m, -Xmx1000m, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compile>
[2024-04-12T14:17:03,262][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-04-12T14:17:03,497][INFO ][org.reflections.Reflections] Reflections took 68 ms to scan 1 urls, producing 132 keys and 464 values
[2024-04-12T14:17:03,671][WARN ][logstash.inputs.http     ] You are using a deprecated config setting "ssl_verify_mode" set in http. Deprecated settings will continue to work, but are scheduled for removal from logstash in the f>
[2024-04-12T14:17:03,672][WARN ][logstash.inputs.http     ] You are using a deprecated config setting "ssl" set in http. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Set '>
[2024-04-12T14:17:03,776][WARN ][logstash.inputs.beats    ] You are using a deprecated config setting "ssl_verify_mode" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the >
[2024-04-12T14:17:03,777][WARN ][logstash.inputs.beats    ] You are using a deprecated config setting "ssl" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Use >
[2024-04-12T14:17:03,780][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_certificate_verification" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for rem>
[2024-04-12T14:17:03,781][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the>
[2024-04-12T14:17:03,787][WARN ][logstash.inputs.beats    ] You are using a deprecated config setting "ssl" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Use >
[2024-04-12T14:17:03,798][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_certificate_verification" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for rem>
[2024-04-12T14:17:03,799][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the>
[2024-04-12T14:17:03,811][INFO ][logstash.javapipeline    ] Pipeline `manager` is configured with `pipeline.ecs_compatibility: disabled` setting. All plugins in this pipeline will default to `ecs_compatibility => disabled` unles>
[2024-04-12T14:17:03,811][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_certificate_verification" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for rem>
[2024-04-12T14:17:03,812][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the>
[2024-04-12T14:17:03,825][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl_certificate_verification" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for rem>
[2024-04-12T14:17:03,826][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "ssl" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the>
[2024-04-12T14:17:03,830][INFO ][logstash.javapipeline    ] Pipeline `search` is configured with `pipeline.ecs_compatibility: disabled` setting. All plugins in this pipeline will default to `ecs_compatibility => disabled` unless>
[2024-04-12T14:17:03,830][INFO ][logstash.javapipeline    ] Starting pipeline {:pipeline_id=>"manager", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sour>
[2024-04-12T14:17:03,835][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//seconion"]}
[2024-04-12T14:17:03,838][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
[2024-04-12T14:17:03,901][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://so_elastic:xxxxxx@seconion:9200/]}}
[2024-04-12T14:17:04,072][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxxx@seconion:9200/"}
[2024-04-12T14:17:04,076][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-04-12T14:17:04,077][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2024-04-12T14:17:04,083][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//seconion"]}
[2024-04-12T14:17:04,084][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
[2024-04-12T14:17:04,086][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://so_elastic:xxxxxx@seconion:9200/]}}
[2024-04-12T14:17:04,114][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxxx@seconion:9200/"}
[2024-04-12T14:17:04,119][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-04-12T14:17:04,119][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2024-04-12T14:17:04,126][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//seconion"]}
[2024-04-12T14:17:04,126][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
[2024-04-12T14:17:04,129][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://so_elastic:xxxxxx@seconion:9200/]}}
[2024-04-12T14:17:04,155][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxxx@seconion:9200/"}
[2024-04-12T14:17:04,158][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-04-12T14:17:04,159][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2024-04-12T14:17:04,163][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//seconion"]}
[2024-04-12T14:17:04,164][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
[2024-04-12T14:17:04,166][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://so_elastic:xxxxxx@seconion:9200/]}}
[2024-04-12T14:17:04,202][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxxx@seconion:9200/"}
[2024-04-12T14:17:04,209][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-04-12T14:17:04,209][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2024-04-12T14:17:04,219][INFO ][logstash.outputs.elasticsearch] Not eligible for data streams because ecs_compatibility is not enabled. Elasticsearch data streams require that events adhere to the Elastic Common Schema. While `>
[2024-04-12T14:17:04,219][INFO ][logstash.outputs.elasticsearch] Data streams auto configuration (`data_stream => auto` or unset) resolved to `false`
[2024-04-12T14:17:04,224][INFO ][logstash.javapipeline    ] Starting pipeline {:pipeline_id=>"search", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sourc>
[2024-04-12T14:17:04,231][INFO ][logstash.outputs.elasticsearch] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[2024-04-12T14:17:04,488][INFO ][logstash.javapipeline    ] Pipeline Java execution initialization time {"seconds"=>0.66}
[2024-04-12T14:17:04,517][INFO ][logstash.inputs.beats    ] Starting input listener {:address=>"0.0.0.0:5056"}
[2024-04-12T14:17:04,561][INFO ][logstash.javapipeline    ] Pipeline Java execution initialization time {"seconds"=>0.34}
[2024-04-12T14:17:04,571][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,571][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,571][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,571][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,572][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,572][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,572][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,572][INFO ][logstash.inputs.redis    ] Registering Redis {:identity=>"redis://<password>@seconion:9696/0 list:logstash:unparsed"}
[2024-04-12T14:17:04,585][INFO ][logstash.javapipeline    ] Pipeline started {"pipeline.id"=>"search"}
[2024-04-12T14:17:04,970][INFO ][logstash.inputs.beats    ] Starting input listener {:address=>"0.0.0.0:5055"}
[2024-04-12T14:17:05,044][INFO ][logstash.javapipeline    ] Pipeline started {"pipeline.id"=>"manager"}
[2024-04-12T14:17:05,046][INFO ][logstash.inputs.http     ] Starting http input listener {:address=>"0.0.0.0:3765", :ssl=>"true"}
[2024-04-12T14:17:05,051][INFO ][org.logstash.beats.Server] Starting server on port: 5056
[2024-04-12T14:17:05,051][INFO ][org.logstash.beats.Server] Starting server on port: 5055
[2024-04-12T14:17:05,052][INFO ][logstash.agent           ] Pipelines running {:count=>2, :running_pipelines=>[:manager, :search], :non_running_pipelines=>[]}
[2024-04-12T14:17:08,396][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/li>
[2024-04-12T14:17:08,397][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:17:09,403][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/li>
[2024-04-12T14:17:09,403][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:17:10,412][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/li>
[2024-04-12T14:17:10,413][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:17:11,421][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/li>
[2024-04-12T14:17:11,422][WARN ][logstash.outputs.redis   ] Failed to send backlog of events to Redis {:identity=>"redis://<password>@seconion:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not al>
[2024-04-12T14:17:12,426][WARN ][logstash.outputs.redis   ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/li>
...
...

[cm-ops]

I didn't see what you have in your manager and search pipelines in the output above. Looks like the log is cut off some. Should look like below:

Starting pipeline {:pipeline_id=>"manager", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/usr/share/logstash/pipelines/manager/0011_input_endgame.conf", "/usr/share/logstash/pipelines/manager/0012_input_elastic_agent.conf", "/usr/share/logstash/pipelines/manager/0013_input_lumberjack_fleet.conf", "/usr/share/logstash/pipelines/manager/9999_output_redis.conf"], :thread=>"#<Thread:0x61cab4f6 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}

Starting pipeline {:pipeline_id=>"search", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/usr/share/logstash/pipelines/search/0900_input_redis.conf", "/usr/share/logstash/pipelines/search/9805_output_elastic_agent.conf", "/usr/share/logstash/pipelines/search/9900_output_endgame.conf"], :thread=>"#<Thread:0x6808b6db /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}

Can you take a look in your logstash log and confirm they are the same?

[tthomasb]

I don't know why it's cut off, but here are the output, after restarting just now. I think it just look fine...

[2024-04-15T18:19:10,283][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"manager", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/usr/share/logstash/pipelines/manager/0011_input_endgame.conf", "/usr/share/logstash/pipelines/manager/0012_input_elastic_agent.conf", "/usr/share/logstash/pipelines/manager/0013_input_lumberjack_fleet.conf", "/usr/share/logstash/pipelines/manager/9999_output_redis.conf"], :thread=>"#<Thread:0x295ce61 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}

[2024-04-15T18:19:10,711][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"search", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/usr/share/logstash/pipelines/search/0900_input_redis.conf", "/usr/share/logstash/pipelines/search/9805_output_elastic_agent.conf", "/usr/share/logstash/pipelines/search/9900_output_endgame.conf"], :thread=>"#<Thread:0x435755a1 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}

[cm-ops]

Okay, that looks right. Also, let me know what Elasticsearch pipelines are loaded with so-elasticsearch-pipelines-list please.

[tthomasb]

Ok sure.

sudo so-elasticsearch-pipelines-list
[
  ".fleet_final_pipeline-1",
  ".slo-observability.sli.pipeline",
  ".slo-observability.summary.pipeline",
  "beats.common",
  "behavioral_analytics-events-final_pipeline",
  "common",
  "common.nids",
  "custom001",
  "custom002",
  "custom003",
  "custom004",
  "custom005",
  "custom006",
  "custom007",
  "custom008",
  "custom009",
  "custom010",
  "dns.tld",
  "ecs",
  "ent-search-generic-ingestion",
  "filterlog",
  "http.status",
  "import.wel",
  "kratos",
  "logs-1password.audit_events-1.23.1",
  "logs-1password.item_usages-1.23.1",
  "logs-1password.signin_attempts-1.23.1",
  "logs-apache.access-1.15.1",
  "logs-apache.access-1.15.1-third-party",
  "logs-apache.error-1.15.1",
  "logs-apache.error-1.15.1-third-party",
  "logs-auditd.log-3.15.0",
  "logs-auth0.logs-1.13.0",
  "logs-aws.apigateway_logs-2.8.3",
  "logs-aws.cloudfront_logs-2.8.3",
  "logs-aws.cloudtrail-2.8.3",
  "logs-aws.cloudtrail-2.8.3-third-party",
  "logs-aws.cloudwatch_logs-2.8.3",
  "logs-aws.ec2_logs-2.8.3",
  "logs-aws.elb_logs-2.8.3",
  "logs-aws.emr_logs-2.8.3",
  "logs-aws.firewall_logs-2.8.3",
  "logs-aws.guardduty-2.8.3",
  "logs-aws.inspector-2.8.3",
  "logs-aws.route53_public_logs-2.8.3",
  "logs-aws.route53_resolver_logs-2.8.3",
  "logs-aws.s3access-2.8.3",
  "logs-aws.securityhub_findings-2.8.3",
  "logs-aws.securityhub_insights-2.8.3",
  "logs-aws.vpcflow-2.8.3",
  "logs-aws.waf-2.8.3",
  "logs-azure.activitylogs-1.6.0",
  "logs-azure.activitylogs-1.6.0-azure-shared-pipeline",
  "logs-azure.application_gateway-1.6.0",
  "logs-azure.application_gateway-1.6.0-azure-shared-pipeline",
  "logs-azure.auditlogs-1.6.0",
  "logs-azure.auditlogs-1.6.0-azure-shared-pipeline",
  "logs-azure.eventhub-1.6.0",
  "logs-azure.eventhub-1.6.0-azure-shared-pipeline",
  "logs-azure.eventhub-1.6.0-parsed-message",
  "logs-azure.firewall_logs-1.6.0",
  "logs-azure.firewall_logs-1.6.0-azure-shared-pipeline",
  "logs-azure.identity_protection-1.6.0",
  "logs-azure.identity_protection-1.6.0-azure-shared-pipeline",
  "logs-azure.platformlogs-1.6.0",
  "logs-azure.platformlogs-1.6.0-azure-shared-pipeline",
  "logs-azure.platformlogs-1.6.0-springcloudlogs-inner-pipeline",
  "logs-azure.provisioning-1.6.0",
  "logs-azure.provisioning-1.6.0-azure-shared-pipeline",
  "logs-azure.signinlogs-1.6.0",
  "logs-azure.signinlogs-1.6.0-azure-shared-pipeline",
  "logs-azure.springcloudlogs-1.6.0",
  "logs-azure.springcloudlogs-1.6.0-azure-shared-pipeline",
  "logs-barracuda.waf-1.9.1",
  "logs-barracuda.waf-1.9.1-access",
  "logs-barracuda.waf-1.9.1-audit",
  "logs-barracuda.waf-1.9.1-networkfirewall",
  "logs-barracuda.waf-1.9.1-system",
  "logs-barracuda.waf-1.9.1-webfirewall",
  "logs-carbonblack_edr.log-1.15.0",
  "logs-checkpoint.firewall-1.27.0",
  "logs-cisco_asa.log-2.26.0",
  "logs-cisco_duo.admin-1.18.0",
  "logs-cisco_duo.auth-1.18.0",
  "logs-cisco_duo.offline_enrollment-1.18.0",
  "logs-cisco_duo.summary-1.18.0",
  "logs-cisco_duo.telephony-1.18.0",
  "logs-cisco_ftd.log-2.18.2",
  "logs-cisco_ios.log-1.22.0",
  "logs-cisco_ise.log-1.18.0",
  "logs-cisco_ise.log-1.18.0-pipeline_ad_connector",
  "logs-cisco_ise.log-1.18.0-pipeline_administrative_and_operational_audit",
  "logs-cisco_ise.log-1.18.0-pipeline_authentication_flow_diagnostics",
  "logs-cisco_ise.log-1.18.0-pipeline_failed_attempts",
  "logs-cisco_ise.log-1.18.0-pipeline_guest",
  "logs-cisco_ise.log-1.18.0-pipeline_identity_stores_diagnostics",
  "logs-cisco_ise.log-1.18.0-pipeline_internal_operations_diagnostics",
  "logs-cisco_ise.log-1.18.0-pipeline_mydevices",
  "logs-cisco_ise.log-1.18.0-pipeline_passed_authentications",
  "logs-cisco_ise.log-1.18.0-pipeline_policy_diagnostics",
  "logs-cisco_ise.log-1.18.0-pipeline_posture_and_client_provisioning_audit",
  "logs-cisco_ise.log-1.18.0-pipeline_radius_accounting",
  "logs-cisco_ise.log-1.18.0-pipeline_radius_diagnostics",
  "logs-cisco_ise.log-1.18.0-pipeline_system_statistics",
  "logs-cisco_ise.log-1.18.0-pipeline_tacacs_accounting",
  "logs-cisco_ise.log-1.18.0-pipeline_threat_centric_nac",
  "logs-cisco_meraki.events-1.16.1",
  "logs-cisco_meraki.log-1.16.1",
  "logs-cisco_meraki.log-1.16.1-airmarshal",
  "logs-cisco_meraki.log-1.16.1-events",
  "logs-cisco_meraki.log-1.16.1-flows",
  "logs-cisco_meraki.log-1.16.1-idsalerts",
  "logs-cisco_meraki.log-1.16.1-ipflows",
  "logs-cisco_meraki.log-1.16.1-security",
  "logs-cisco_meraki.log-1.16.1-urls",
  "logs-cisco_umbrella.log-1.19.0",
  "logs-citrix_adc.interface-1.0.1",
  "logs-citrix_adc.lbvserver-1.0.1",
  "logs-citrix_adc.service-1.0.1",
  "logs-citrix_adc.system-1.0.1",
  "logs-citrix_adc.vpn-1.0.1",
  "logs-citrix_waf.log-1.11.1",
  "logs-citrix_waf.log-1.11.1-cef",
  "logs-citrix_waf.log-1.11.1-native",
  "logs-cloudflare.audit-2.20.0",
  "logs-cloudflare.logpull-2.20.0",
  "logs-cloudflare.logpull-2.20.0-http",
  "logs-crowdstrike.falcon-1.22.1",
  "logs-crowdstrike.falcon-1.22.1-auth_activity_audit",
  "logs-crowdstrike.falcon-1.22.1-cspm_events",
  "logs-crowdstrike.falcon-1.22.1-detection_summary",
  "logs-crowdstrike.falcon-1.22.1-firewall_match",
  "logs-crowdstrike.falcon-1.22.1-identity_protection_incident",
  "logs-crowdstrike.falcon-1.22.1-incident_summary",
  "logs-crowdstrike.falcon-1.22.1-ipd_detection_summary",
  "logs-crowdstrike.falcon-1.22.1-mobile_detection_summary",
  "logs-crowdstrike.falcon-1.22.1-recon_notification_summary",
  "logs-crowdstrike.falcon-1.22.1-remote_response_session_end",
  "logs-crowdstrike.falcon-1.22.1-remote_response_session_start",
  "logs-crowdstrike.falcon-1.22.1-user_activity_audit",
  "logs-crowdstrike.falcon-1.22.1-xdr_detection_summary",
  "logs-crowdstrike.fdr-1.22.1",
  "logs-darktrace.ai_analyst_alert-1.11.0",
  "logs-darktrace.model_breach_alert-1.11.0",
  "logs-darktrace.system_status_alert-1.11.0",
  "logs-default-pipeline",
  "logs-elastic_agent-1.13.1",
  "logs-elastic_agent.apm_server-1.13.1",
  "logs-elastic_agent.auditbeat-1.13.1",
  "logs-elastic_agent.cloud_defend-1.13.1",
  "logs-elastic_agent.cloudbeat-1.13.1",
  "logs-elastic_agent.endpoint_security-1.13.1",
  "logs-elastic_agent.filebeat-1.13.1",
  "logs-elastic_agent.filebeat_input-1.13.1",
  "logs-elastic_agent.fleet_server-1.13.1",
  "logs-elastic_agent.heartbeat-1.13.1",
  "logs-elastic_agent.metricbeat-1.13.1",
  "logs-elastic_agent.osquerybeat-1.13.1",
  "logs-elastic_agent.packetbeat-1.13.1",
  "logs-elasticsearch.audit-1.10.0",
  "logs-elasticsearch.audit-1.10.0-pipeline-json",
  "logs-elasticsearch.deprecation-1.10.0",
  "logs-elasticsearch.deprecation-1.10.0-pipeline-json",
  "logs-elasticsearch.gc-1.10.0",
  "logs-elasticsearch.server-1.10.0",
  "logs-elasticsearch.server-1.10.0-pipeline-json",
  "logs-elasticsearch.slowlog-1.10.0",
  "logs-elasticsearch.slowlog-1.10.0-pipeline-json",
  "logs-endpoint.action.responses-8.10.2",
  "logs-endpoint.actions-8.10.2",
  "logs-endpoint.alerts-8.10.2",
  "logs-endpoint.diagnostic.collection-8.10.2",
  "logs-endpoint.events.api-8.10.2",
  "logs-endpoint.events.file-8.10.2",
  "logs-endpoint.events.library-8.10.2",
  "logs-endpoint.events.network-8.10.2",
  "logs-endpoint.events.process-8.10.2",
  "logs-endpoint.events.registry-8.10.2",
  "logs-endpoint.events.security-8.10.2",
  "logs-endpoint.heartbeat-8.10.2",
  "logs-f5_bigip.log-1.11.0",
  "logs-f5_bigip.log-1.11.0-pipeline_bigipafm",
  "logs-f5_bigip.log-1.11.0-pipeline_bigipapm",
  "logs-f5_bigip.log-1.11.0-pipeline_bigipasm",
  "logs-f5_bigip.log-1.11.0-pipeline_bigipavr",
  "logs-f5_bigip.log-1.11.0-pipeline_bigipltm",
  "logs-fim.event-1.13.0",
  "logs-fireeye.nx-1.19.0",
  "logs-fireeye.nx-1.19.0-renaming-raws",
  "logs-fortinet.clientendpoint-1.9.0",
  "logs-fortinet.firewall-1.9.0",
  "logs-fortinet.firewall-1.9.0-event",
  "logs-fortinet.firewall-1.9.0-traffic",
  "logs-fortinet.firewall-1.9.0-utm",
  "logs-fortinet.fortimail-1.9.0",
  "logs-fortinet.fortimanager-1.9.0",
  "logs-fortinet_fortigate.log-1.19.0",
  "logs-fortinet_fortigate.log-1.19.0-event",
  "logs-fortinet_fortigate.log-1.19.0-traffic",
  "logs-fortinet_fortigate.log-1.19.0-utm",
  "logs-gcp.audit-2.30.1",
  "logs-gcp.dns-2.30.1",
  "logs-gcp.firewall-2.30.1",
  "logs-gcp.loadbalancing_logs-2.30.1",
  "logs-gcp.vpcflow-2.30.1",
  "logs-github.audit-1.24.0",
  "logs-github.code_scanning-1.24.0",
  "logs-github.dependabot-1.24.0",
  "logs-github.issues-1.24.0",
  "logs-github.secret_scanning-1.24.0",
  "logs-google_workspace.access_transparency-2.16.1",
  "logs-google_workspace.admin-2.16.1",
  "logs-google_workspace.alert-2.16.1",
  "logs-google_workspace.context_aware_access-2.16.1",
  "logs-google_workspace.device-2.16.1",
  "logs-google_workspace.drive-2.16.1",
  "logs-google_workspace.gcp-2.16.1",
  "logs-google_workspace.group_enterprise-2.16.1",
  "logs-google_workspace.groups-2.16.1",
  "logs-google_workspace.login-2.16.1",
  "logs-google_workspace.rules-2.16.1",
  "logs-google_workspace.saml-2.16.1",
  "logs-google_workspace.token-2.16.1",
  "logs-google_workspace.user_accounts-2.16.1",
  "logs-http_endpoint.generic-1.13.0",
  "logs-httpjson.generic-1.16.0",
  "logs-idh-2.3.0",
  "logs-iis.access-1.15.1",
  "logs-iis.error-1.15.1",
  "logs-import-2.3.0",
  "logs-juniper.junos-1.2.0",
  "logs-juniper.netscreen-1.2.0",
  "logs-juniper.srx-1.2.0",
  "logs-juniper.srx-1.2.0-atp",
  "logs-juniper.srx-1.2.0-flow",
  "logs-juniper.srx-1.2.0-idp",
  "logs-juniper.srx-1.2.0-ids",
  "logs-juniper.srx-1.2.0-secintel",
  "logs-juniper.srx-1.2.0-utm",
  "logs-juniper_srx.log-1.18.1",
  "logs-juniper_srx.log-1.18.1-atp",
  "logs-juniper_srx.log-1.18.1-flow",
  "logs-juniper_srx.log-1.18.1-idp",
  "logs-juniper_srx.log-1.18.1-ids",
  "logs-juniper_srx.log-1.18.1-secintel",
  "logs-juniper_srx.log-1.18.1-system",
  "logs-juniper_srx.log-1.18.1-utm",
  "logs-kafka_log.generic-1.3.0",
  "logs-kratos-2.3.0",
  "logs-lastpass.detailed_shared_folder-1.11.0",
  "logs-lastpass.event_report-1.11.0",
  "logs-lastpass.user-1.11.0",
  "logs-m365_defender.event-2.3.1",
  "logs-m365_defender.event-2.3.1-pipeline_alert",
  "logs-m365_defender.event-2.3.1-pipeline_app_and_identity",
  "logs-m365_defender.event-2.3.1-pipeline_device",
  "logs-m365_defender.event-2.3.1-pipeline_email",
  "logs-m365_defender.incident-2.3.1",
  "logs-m365_defender.log-2.3.1",
  "logs-microsoft_defender_endpoint.log-2.20.0",
  "logs-microsoft_dhcp.log-1.21.0",
  "logs-microsoft_dhcp.log-1.21.0-dhcp",
  "logs-microsoft_dhcp.log-1.21.0-dhcpv6",
  "logs-microsoft_sqlserver.audit-2.2.2",
  "logs-microsoft_sqlserver.log-2.2.2",
  "logs-mimecast.archive_search_logs-1.19.0",
  "logs-mimecast.audit_events-1.19.0",
  "logs-mimecast.dlp_logs-1.19.0",
  "logs-mimecast.siem_logs-1.19.0",
  "logs-mimecast.threat_intel_malware_customer-1.19.0",
  "logs-mimecast.threat_intel_malware_grid-1.19.0",
  "logs-mimecast.ttp_ap_logs-1.19.0",
  "logs-mimecast.ttp_ip_logs-1.19.0",
  "logs-mimecast.ttp_url_logs-1.19.0",
  "logs-mysql.error-1.15.0",
  "logs-mysql.slowlog-1.15.0",
  "logs-netflow.log-2.16.1",
  "logs-nginx.access-1.15.1",
  "logs-nginx.access-1.15.1-third-party",
  "logs-nginx.error-1.15.1",
  "logs-nginx.error-1.15.1-third-party",
  "logs-o365.audit-1.24.1",
  "logs-okta.system-2.3.0",
  "logs-osquery_manager.result-1.10.1",
  "logs-panw.panos-3.19.0",
  "logs-panw.panos-3.19.0-authentication",
  "logs-panw.panos-3.19.0-config",
  "logs-panw.panos-3.19.0-correlated_event",
  "logs-panw.panos-3.19.0-decryption",
  "logs-panw.panos-3.19.0-globalprotect",
  "logs-panw.panos-3.19.0-gtp",
  "logs-panw.panos-3.19.0-hipmatch",
  "logs-panw.panos-3.19.0-ip_tag",
  "logs-panw.panos-3.19.0-sctp",
  "logs-panw.panos-3.19.0-system",
  "logs-panw.panos-3.19.0-threat",
  "logs-panw.panos-3.19.0-traffic",
  "logs-panw.panos-3.19.0-tunnel_inspection",
  "logs-panw.panos-3.19.0-userid",
  "logs-pfsense.log-1.16.0",
  "logs-pfsense.log-1.16.0-dhcp",
  "logs-pfsense.log-1.16.0-firewall",
  "logs-pfsense.log-1.16.0-haproxy",
  "logs-pfsense.log-1.16.0-ipsec",
  "logs-pfsense.log-1.16.0-openvpn",
  "logs-pfsense.log-1.16.0-php-fpm",
  "logs-pfsense.log-1.16.0-squid",
  "logs-pfsense.log-1.16.0-unbound",
  "logs-proofpoint_tap.clicks_blocked-1.13.0",
  "logs-proofpoint_tap.clicks_permitted-1.13.0",
  "logs-proofpoint_tap.message_blocked-1.13.0",
  "logs-proofpoint_tap.message_delivered-1.13.0",
  "logs-pulse_connect_secure.log-1.16.0",
  "logs-redis.log-1.11.1",
  "logs-redis.slowlog-1.11.1",
  "logs-rita-2.3.0",
  "logs-sentinel_one.activity-1.16.0",
  "logs-sentinel_one.agent-1.16.0",
  "logs-sentinel_one.alert-1.16.0",
  "logs-sentinel_one.group-1.16.0",
  "logs-sentinel_one.threat-1.16.0",
  "logs-snort.log-1.12.0",
  "logs-snort.log-1.12.0-json",
  "logs-snort.log-1.12.0-plaintext",
  "logs-snyk.audit-1.16.0",
  "logs-snyk.vulnerabilities-1.16.0",
  "logs-soc-2.3.0",
  "logs-sonicwall_firewall.log-1.11.0",
  "logs-sophos.utm-3.4.0",
  "logs-sophos.utm-3.4.0-dhcp",
  "logs-sophos.utm-3.4.0-dns",
  "logs-sophos.utm-3.4.0-http",
  "logs-sophos.utm-3.4.0-packetfilter",
  "logs-sophos.xg-3.4.0",
  "logs-sophos.xg-3.4.0-antispam",
  "logs-sophos.xg-3.4.0-antivirus",
  "logs-sophos.xg-3.4.0-atp",
  "logs-sophos.xg-3.4.0-cfilter",
  "logs-sophos.xg-3.4.0-event",
  "logs-sophos.xg-3.4.0-firewall",
  "logs-sophos.xg-3.4.0-idp",
  "logs-sophos.xg-3.4.0-sandstorm",
  "logs-sophos.xg-3.4.0-systemhealth",
  "logs-sophos.xg-3.4.0-waf",
  "logs-sophos.xg-3.4.0-wifi",
  "logs-sophos_central.alert-1.10.0",
  "logs-sophos_central.event-1.10.0",
  "logs-strelka-2.3.0",
  "logs-suricata-2.3.0",
  "logs-symantec_endpoint.log-2.13.0",
  "logs-system.application-1.43.0",
  "logs-system.auth-1.43.0",
  "logs-system.security-1.43.0",
  "logs-system.security-1.43.0-standard",
  "logs-system.syslog-1.43.0",
  "logs-system.system-1.43.0",
  "logs-tcp.generic-1.15.0",
  "logs-tenable_sc.asset-1.17.0",
  "logs-tenable_sc.plugin-1.17.0",
  "logs-tenable_sc.vulnerability-1.17.0",
  "logs-ti_abusech.malware-1.21.0",
  "logs-ti_abusech.malwarebazaar-1.21.0",
  "logs-ti_abusech.threatfox-1.21.0",
  "logs-ti_abusech.url-1.21.0",
  "logs-ti_anomali.threatstream-1.18.0",
  "logs-ti_cybersixgill.threat-1.22.0",
  "logs-ti_misp.threat-1.24.0",
  "logs-ti_misp.threat_attributes-1.24.0",
  "logs-ti_otx.pulses_subscribed-1.19.0",
  "logs-ti_otx.threat-1.19.0",
  "logs-ti_recordedfuture.threat-1.17.0",
  "logs-ti_recordedfuture.threat-1.17.0-decode_csv",
  "logs-ti_threatq.threat-1.20.0",
  "logs-udp.generic-1.15.0",
  "logs-vsphere.log-1.8.0",
  "logs-windows.applocker_exe_and_dll-1.38.0",
  "logs-windows.applocker_msi_and_script-1.38.0",
  "logs-windows.applocker_packaged_app_deployment-1.38.0",
  "logs-windows.applocker_packaged_app_execution-1.38.0",
  "logs-windows.forwarded-1.38.0",
  "logs-windows.forwarded-1.38.0-powershell",
  "logs-windows.forwarded-1.38.0-powershell_operational",
  "logs-windows.forwarded-1.38.0-security",
  "logs-windows.forwarded-1.38.0-sysmon_operational",
  "logs-windows.powershell-1.38.0",
  "logs-windows.powershell_operational-1.38.0",
  "logs-windows.sysmon_operational-1.38.0",
  "logs-winlog.winlog-1.20.0",
  "logs-zeek-2.3.0",
  "logs-zscaler_zia.alerts-2.15.0",
  "logs-zscaler_zia.dns-2.15.0",
  "logs-zscaler_zia.firewall-2.15.0",
  "logs-zscaler_zia.tunnel-2.15.0",
  "logs-zscaler_zia.web-2.15.0",
  "logs-zscaler_zpa.app_connector_status-1.14.0",
  "logs-zscaler_zpa.audit-1.14.0",
  "logs-zscaler_zpa.browser_access-1.14.0",
  "logs-zscaler_zpa.user_activity-1.14.0",
  "logs-zscaler_zpa.user_status-1.14.0",
  "logs@json-message",
  "logscan.alert",
  "metrics-apache.status-1.15.1",
  "metrics-aws.apigateway_metrics-2.8.3",
  "metrics-aws.billing-2.8.3",
  "metrics-aws.cloudwatch_metrics-2.8.3",
  "metrics-aws.dynamodb-2.8.3",
  "metrics-aws.ebs-2.8.3",
  "metrics-aws.ec2_metrics-2.8.3",
  "metrics-aws.ecs_metrics-2.8.3",
  "metrics-aws.elb_metrics-2.8.3",
  "metrics-aws.emr_metrics-2.8.3",
  "metrics-aws.firewall_metrics-2.8.3",
  "metrics-aws.kinesis-2.8.3",
  "metrics-aws.lambda-2.8.3",
  "metrics-aws.natgateway-2.8.3",
  "metrics-aws.rds-2.8.3",
  "metrics-aws.redshift-2.8.3",
  "metrics-aws.s3_daily_storage-2.8.3",
  "metrics-aws.s3_request-2.8.3",
  "metrics-aws.s3_storage_lens-2.8.3",
  "metrics-aws.sns-2.8.3",
  "metrics-aws.sqs-2.8.3",
  "metrics-aws.transitgateway-2.8.3",
  "metrics-aws.usage-2.8.3",
  "metrics-aws.vpn-2.8.3",
  "metrics-elastic_agent.apm_server-1.13.1",
  "metrics-elastic_agent.auditbeat-1.13.1",
  "metrics-elastic_agent.cloudbeat-1.13.1",
  "metrics-elastic_agent.elastic_agent-1.13.1",
  "metrics-elastic_agent.endpoint_security-1.13.1",
  "metrics-elastic_agent.filebeat-1.13.1",
  "metrics-elastic_agent.filebeat_input-1.13.1",
  "metrics-elastic_agent.fleet_server-1.13.1",
  "metrics-elastic_agent.heartbeat-1.13.1",
  "metrics-elastic_agent.metricbeat-1.13.1",
  "metrics-elastic_agent.osquerybeat-1.13.1",
  "metrics-elastic_agent.packetbeat-1.13.1",
  "metrics-elasticsearch.ingest_pipeline-1.10.0",
  "metrics-elasticsearch.stack_monitoring.ccr-1.10.0",
  "metrics-elasticsearch.stack_monitoring.cluster_stats-1.10.0",
  "metrics-elasticsearch.stack_monitoring.enrich-1.10.0",
  "metrics-elasticsearch.stack_monitoring.index-1.10.0",
  "metrics-elasticsearch.stack_monitoring.index_recovery-1.10.0",
  "metrics-elasticsearch.stack_monitoring.index_summary-1.10.0",
  "metrics-elasticsearch.stack_monitoring.ml_job-1.10.0",
  "metrics-elasticsearch.stack_monitoring.node-1.10.0",
  "metrics-elasticsearch.stack_monitoring.node_stats-1.10.0",
  "metrics-elasticsearch.stack_monitoring.pending_tasks-1.10.0",
  "metrics-elasticsearch.stack_monitoring.shard-1.10.0",
  "metrics-endpoint.metadata-8.10.2",
  "metrics-endpoint.metrics-8.10.2",
  "metrics-endpoint.policy-8.10.2",
  "metrics-gcp.billing-2.30.1",
  "metrics-gcp.cloudrun_metrics-2.30.1",
  "metrics-gcp.cloudsql_mysql-2.30.1",
  "metrics-gcp.cloudsql_postgresql-2.30.1",
  "metrics-gcp.cloudsql_sqlserver-2.30.1",
  "metrics-gcp.compute-2.30.1",
  "metrics-gcp.dataproc-2.30.1",
  "metrics-gcp.firestore-2.30.1",
  "metrics-gcp.gke-2.30.1",
  "metrics-gcp.loadbalancing_metrics-2.30.1",
  "metrics-gcp.pubsub-2.30.1",
  "metrics-gcp.redis-2.30.1",
  "metrics-gcp.storage-2.30.1",
  "metrics-iis.application_pool-1.15.1",
  "metrics-iis.webserver-1.15.1",
  "metrics-iis.website-1.15.1",
  "metrics-microsoft_sqlserver.performance-2.2.2",
  "metrics-microsoft_sqlserver.transaction_log-2.2.2",
  "metrics-mysql.galera_status-1.15.0",
  "metrics-mysql.performance-1.15.0",
  "metrics-mysql.status-1.15.0",
  "metrics-nginx.stubstatus-1.15.1",
  "metrics-redis.info-1.11.1",
  "metrics-redis.key-1.11.1",
  "metrics-redis.keyspace-1.11.1",
  "metrics-system.core-1.43.0",
  "metrics-system.cpu-1.43.0",
  "metrics-system.diskio-1.43.0",
  "metrics-system.filesystem-1.43.0",
  "metrics-system.fsstat-1.43.0",
  "metrics-system.load-1.43.0",
  "metrics-system.memory-1.43.0",
  "metrics-system.network-1.43.0",
  "metrics-system.process-1.43.0",
  "metrics-system.process.summary-1.43.0",
  "metrics-system.socket_summary-1.43.0",
  "metrics-system.uptime-1.43.0",
  "metrics-vsphere.datastore-1.8.0",
  "metrics-vsphere.host-1.8.0",
  "metrics-vsphere.virtualmachine-1.8.0",
  "metrics-windows.perfmon-1.38.0",
  "metrics-windows.service-1.38.0",
  "osquery.live_query",
  "osquery.normalize",
  "osquery.query_result",
  "ossec",
  "rita.beacon",
  "rita.beacons",
  "rita.connection",
  "rita.connections",
  "rita.dns",
  "strelka.file",
  "sublime",
  "suricata.alert",
  "suricata.common",
  "suricata.dhcp",
  "suricata.dnp3",
  "suricata.dns",
  "suricata.fileinfo",
  "suricata.flow",
  "suricata.ftp",
  "suricata.ftp_data",
  "suricata.http",
  "suricata.ike",
  "suricata.ikev2",
  "suricata.krb5",
  "suricata.nfs",
  "suricata.rdp",
  "suricata.sip",
  "suricata.smb",
  "suricata.smtp",
  "suricata.snmp",
  "suricata.ssh",
  "suricata.tftp",
  "suricata.tls",
  "synthetics-browser-1.0.6",
  "synthetics-browser.network-1.0.6",
  "synthetics-browser.screenshot-1.0.6",
  "synthetics-http-1.0.6",
  "synthetics-icmp-1.0.6",
  "synthetics-tcp-1.0.6",
  "syslog",
  "sysmon",
  "win.eventlogs",
  "zeek.bacnet",
  "zeek.bacnet_discovery",
  "zeek.bacnet_property",
  "zeek.bsap_ip_header",
  "zeek.bsap_ip_rdb",
  "zeek.bsap_ip_unknown",
  "zeek.bsap_serial_header",
  "zeek.bsap_serial_rdb",
  "zeek.bsap_serial_rdb_ext",
  "zeek.bsap_serial_unknown",
  "zeek.cip",
  "zeek.cip_identity",
  "zeek.cip_io",
  "zeek.common",
  "zeek.common_ssl",
  "zeek.conn",
  "zeek.cotp",
  "zeek.dce_rpc",
  "zeek.dhcp",
  "zeek.dnp3",
  "zeek.dnp3_control",
  "zeek.dnp3_objects",
  "zeek.dns",
  "zeek.dpd",
  "zeek.ecat_aoe_info",
  "zeek.ecat_arp_info",
  "zeek.ecat_coe_info",
  "zeek.ecat_dev_info",
  "zeek.ecat_foe_info",
  "zeek.ecat_log_address",
  "zeek.ecat_registers",
  "zeek.ecat_soe_info",
  "zeek.enip",
  "zeek.files",
  "zeek.ftp",
  "zeek.http",
  "zeek.intel",
  "zeek.irc",
  "zeek.kerberos",
  "zeek.modbus",
  "zeek.modbus_detailed",
  "zeek.modbus_mask_write_register",
  "zeek.modbus_read_write_multiple_registers",
  "zeek.mysql",
  "zeek.notice",
  "zeek.ntlm",
  "zeek.opcua_binary",
  "zeek.opcua_binary_activate_session",
  "zeek.opcua_binary_activate_session_client_software_cert",
  "zeek.opcua_binary_activate_session_diagnostic_info",
  "zeek.opcua_binary_activate_session_locale_id",
  "zeek.opcua_binary_browse",
  "zeek.opcua_binary_browse_description",
  "zeek.opcua_binary_browse_diagnostic_info",
  "zeek.opcua_binary_browse_request_continuation_point",
  "zeek.opcua_binary_browse_response_references",
  "zeek.opcua_binary_browse_result",
  "zeek.opcua_binary_create_session",
  "zeek.opcua_binary_create_session_discovery",
  "zeek.opcua_binary_create_session_endpoints",
  "zeek.opcua_binary_create_session_user_token",
  "zeek.opcua_binary_create_subscription",
  "zeek.opcua_binary_diag_info_detail",
  "zeek.opcua_binary_get_endpoints",
  "zeek.opcua_binary_get_endpoints_description",
  "zeek.opcua_binary_get_endpoints_discovery",
  "zeek.opcua_binary_get_endpoints_locale_id",
  "zeek.opcua_binary_get_endpoints_profile_uri",
  "zeek.opcua_binary_get_endpoints_user_token",
  "zeek.opcua_binary_opensecure_channel",
  "zeek.opcua_binary_read",
  "zeek.opcua_binary_read_array_dims",
  "zeek.opcua_binary_read_array_dims_link",
  "zeek.opcua_binary_read_diagnostic_info",
  "zeek.opcua_binary_read_extension_object",
  "zeek.opcua_binary_read_extension_object_link",
  "zeek.opcua_binary_read_nodes_to_read",
  "zeek.opcua_binary_read_results",
  "zeek.opcua_binary_read_results_link",
  "zeek.opcua_binary_read_status_code",
  "zeek.opcua_binary_read_variant_data",
  "zeek.opcua_binary_read_variant_data_link",
  "zeek.opcua_binary_status_code_detail",
  "zeek.pe",
  "zeek.profinet",
  "zeek.profinet_dce_rpc",
  "zeek.radius",
  "zeek.rdp",
  "zeek.rfb",
  "zeek.s7comm",
  "zeek.s7comm_plus",
  "zeek.s7comm_read_szl",
  "zeek.s7comm_upload_download",
  "zeek.signatures",
  "zeek.sip",
  "zeek.smb_files",
  "zeek.smb_mapping",
  "zeek.smtp",
  "zeek.snmp",
  "zeek.socks",
  "zeek.software",
  "zeek.ssh",
  "zeek.ssl",
  "zeek.stun",
  "zeek.stun_nat",
  "zeek.syslog",
  "zeek.tds",
  "zeek.tds_rpc",
  "zeek.tds_sql_batch",
  "zeek.tunnel",
  "zeek.tunnels",
  "zeek.weird",
  "zeek.wireguard",
  "zeek.x509"
]