-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filebeat log input fails when reload config under Elastic-Agent (affects Custom Logs integration) #31929
Comments
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
My first thought is that this might be related to #30533 which was fixed in 8.1.1, it seems like it might involve the same path between the agent and the beat. |
I remember working for a bit with Anderson on this one, I believe the problem(s) now is(are) different. All config blocks are applied, the whole update process happens as expected, however I'm experiencing two kinds errors:
Sometimes a fresh start of Elastic-Agent + Beats also leads to Filebeat not harvesting the files. There seems to be more to it than the configs not being fully applied. As far as I remember, on all my tests the configs are fully applied, but in any case I'll double-check it. |
I did some more testing, including using other inputs to better assess the extent of the problem, here is what I found: 1. The
|
I'm not familiar with any of this code, but I'll ask the likely obvious/naive question: Do we have any idea how filestream handles this? Is there a fundamental reason that log input can't handle it similarly? |
The |
I'm curious if this or a similar bug could be related to an issue I'm seeing in a support case related to API keys. This cluster was under very high load and was having general ingestion performance problems, and many One of the things we noticed is that this created a situation where Fleet Server had not properly invalidated old API keys after a policy change, so we helped the customer manually invalidate these (what should have been unused) API keys. After we ran the invalidation, we started seeing many So I'm curious if the following can happen:
I realize that's a lot of perfect storms, but there's definitely something going in this case where the new API key is not being properly picked up between Agent <-> Filebeat. cc @AndersonQ @ph |
Closing this issue as it has been solved by #32309 |
Given that Filebeat is running under Elastic-Agent, if a log input is running and has its configurations updated it will fail to start and Filebeat will stop harvesting logs. Filebeat still running and Elastic-Agent report as healthy.
At the moment I managed to consistently reproduce it in a very specific scenario (see below).
The issue seems to be cause by some sort of race condition while updating the configuration, the current workflow for this is (it all happens in Filebeat)
However, for some reason, the input still fails to start with
common.ErrInputNotFinished
. This is logged bycentralmdmt.fleet
and looks like this:There also seems to be an issue communicating with Elasticsearch after the update, it is logged by
esclientleg
and looks like this:Steps to Reproduce:
[{"set":{"field":"foo","value":"bar"}}]
, I'll refer to it asfoo
Custom log file -> Advanced options -> Custom configurations
add the following snippet:pipeline: foo
.The log file will stop being harvested, but Elastic-Agent still reports as healthy. The errors described above are logged and can be found in Kibana or in the log files.
The text was updated successfully, but these errors were encountered: