New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lumberjack input, maximum connection exceeded #3277
Comments
The The back pressure happen when something is slowing doing the consumptions of the events and the queue is blocked for a certain periods of time, This slowdown can be multiple things, one output is slowing down the other, external webservice call or lot of text manipulations. |
Thx for the fast reply. We only use ES output plugin and ES seems to be running fine you can see our full config here: https://gist.github.com/svenmueller/4faac33ac051263f1f96 |
@svenmueller ty for your config! Do you have the One way to have more throughput on logstash is to run it with multiples workers for the filtering (the |
The problem occurs round about 1-2 per day. How can i find out the underlying problem? Is it possible to see which input/filter/output plugin is slowing down the whole logstash pipeline? |
i also noticed that stop/restarting the logstash service is not possible whenever the problem described above occurs: log.nodexyz.com [2015-05-20 19:38:50]:~$ sudo tail -f /var/log/logstash/logstash.log
...
{:timestamp=>"2015-05-20T19:38:50.535000+0000", :message=>"Lumberjack input, maximum connection exceeded, new connection are rejected.", :max_clients=>nil, :level=>:warn}
{:timestamp=>"2015-05-20T19:38:50.546000+0000", :message=>"Lumberjack input, maximum connection exceeded, new connection are rejected.", :max_clients=>nil, :level=>:warn}
{:timestamp=>"2015-05-20T19:38:50.552000+0000", :message=>"Lumberjack input, maximum connection exceeded, new connection are rejected.", :max_clients=>nil, :level=>:warn}
log.nodexyz.com [2015-05-20 19:38:50]:~$ sudo service logstash restart
Killing logstash (pid 30181) with SIGTERM
Waiting logstash (pid 30181) to die...
Waiting logstash (pid 30181) to die...
Waiting logstash (pid 30181) to die...
Waiting logstash (pid 30181) to die...
Waiting logstash (pid 30181) to die...
logstash stop failed; still running.
logstash started.
log.nodexyz.com [2015-05-20 19:38:50]:~$ sudo tail -f /var/log/logstash/logstash.log
...
{:timestamp=>"2015-05-20T19:39:12.175000+0000", :message=>"The error reported is: \n Address already in use - bind - Address already in use"} |
hi there, We use lsf (forwarder 0.4.0) on about 20 machines and push the events (5MB/s) to a logstash instance (1.5.0) via lumberjack (with ssl). Before 1.5.0GA we regularily ran into OOM, no we exceed the sockets ;) Next step is to use 3 logstash instances for receiving log events. Any idea what else we can do? |
Hey, we are also experiencing a similar behavior in logstash. 2-3 hours and we run out of sockets. Also using logstash-forwarder on about 8 machines that push to logstash over ssl and into ES. We are running the lastest logstash-1.5.0-1.noarch on Centos7. Just like svenmuller, we can't stop logstash except with a kill command, and get the same message in the logs: {:timestamp=>"2015-05-22T15:35:35.475000-0400", :message=>"Lumberjack input, maximum connection exceeded, new connection are rejected.", :max_clients=>nil, :level=>:warn} |
Hello @m1k3ga would you mind testing a PR that implement another fix for the lumberjack input to prevent the OOM and hopefully the socket issue you are currently experimenting at logstash-plugins/logstash-input-lumberjack#12 ? You can install this unreleased plugin by editing your gem "logstash-input-lumberjack" For gem "logstash-input-lumberjack", :github => "ph/logstash-input-lumberjack", :branch => "fix/circuit-breaker" And run this command:
|
Concerning the hang, we have a PR in the work #3211 to refactor the semantic for the shutdown of the input plugins. Some of them doesn't stop gracefully, and this is the case here. |
@mogmismo this error is a symptom of a slow down somewhere, before where going oom now we ran out of sockets.. 😞 But this actually means there is a slow down somewhere either in the filter or in the inputs, do you have any other error in the log file ? Maybe retry timeouts on the elasticsearch output? |
I've the same problem... So, how can I increase the workers if I am running logstash as service? |
I think there is a misunderstanding here in this issue and if this message is problematic or not. Let me do a bit of explaining about how Logstash work with the events, we have multiple type of plugins, between every stage of the pipeline we use a small queue which is fixed to 20 events.
Now let's take the scenario that something is wrong with the external service side, it could be multiple things: the service is down, or we have a net slow down or the service cannot keep up with the throughput we have. The inputs need to be informed of this situation to stop accepting new events, the way we are currently doing is by using a blocking queue. The This limit is a way to prevent of logstash to go oom under back pressure, in 1.4.2 was going oom with this situation. It is a problem?
What I can do to improve the situation?
What the developers are working on
|
The need of doing a |
@ph, I'll try to stop that postgresql filter for a while (https://gist.github.com/bdelbosc/9508821), and will let you know if logstash stop again. |
@mabdelfattah are you getting the "maximum connection exceeded" error in your log? Because this issue is related to the lumberjack input and I don't see any in your configuration. Can you create a new issue with details about your configuration and any errors messages you can find in logstash log? |
I too am getting the same error on the logstash logs, also getting Read error looking for ack: read tcp xxxxxx i/o timeout on the logstash-forwarder logs... |
I got the same problem too. The logstash is died and can't parse logs anymore. it worked after restart logstash. |
You cannot restart logstash after that by command "sudo service logstash restart". |
@ph I'm sorry for late response, here is my lubmerjack input config
|
For me this solved the problem of LogStash hanging and message in logs: input {
lumberjack {
...
max_clients => 30000
...
}
} LogStash complains about deprecated option, but at least it is stable and works. |
I've released a new version of the lumberjack input that drop support for the |
After running for a while logstash doesn't output any event to ES. Instead lot's of "warnings" are written to the log file.
(Btw, why does it say ":max_clients=>nil"?)
When executing
sudo lsof | grep logstash
a lot of unclosed connections are listed.Any idea why this happens from time to time?
The text was updated successfully, but these errors were encountered: