Replies: 2 comments
-
|
See if increasing the Logstash isheap to 4000m or as much as 6000m. Twice I have experienced crashing Logstash on new installs where you deploy lots of Elastic Agents. The answer was at least more ram for Logstash. There are other variables like pipeline_x_workers and pipeline_x_batch_x_size to mess with. Make conservative changes. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, have done the change and it's been 3 days and seem to be stable, the only issue is with the Logstash that in less than hour is getting 40gb of log with only 139 agents, I added a mitigation using the crontab to overwrite the disk. the change made to heap was only the 25 percent of the ram as the documentation suggests. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.80
Installation Method
Security Onion ISO image
Description
installation
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
512
Storage for /
100
Storage for /nsm
1tb
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi there,
I currently have an issue with the security onion 2.4.80 , my deployment has a manager, a receiver and a search node, I followed the steps in the documentation to deploy it, and now the Redis queen is full for reason that I do not know and then After a while logstash crash.
[2024-09-06T20:21:25,218][WARN ][logstash.outputs.redis ] Failed to flush outgoing items {:outgoing_count=>125, :exception=>"Redis::CommandError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in
call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:inblock in send_command'", "org/jruby/ext/monitor/Monitor.java:82:insynchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:insend_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:inrpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:inflush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:inblock in buffer_flush'", "org/jruby/RubyHash.java:1587:ineach'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:inbuffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:inbuffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:insend_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:inencode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:inblock in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:intime'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:intime'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:inencode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:inreceive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inblock in multi_receive'", "org/jruby/RubyArray.java:1987:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inmulti_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:inmulti_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:inblock in start_workers'"]}[2024-09-06T20:21:25,218][WARN ][logstash.outputs.redis ] Failed to send backlog of events to Redis {:identity=>"redis://@hostname-pv-receiver01:6379/0 list:logstash:unparsed", :exception=>#<Redis::CommandError: OOM command not allowed when used memory > 'maxmemory'.>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/client.rb:162:in
call'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:270:inblock in send_command'", "org/jruby/ext/monitor/Monitor.java:82:insynchronize'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis.rb:269:insend_command'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/redis-4.8.1/lib/redis/commands/lists.rb:86:inrpush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:152:inflush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:221:inblock in buffer_flush'", "org/jruby/RubyHash.java:1587:ineach'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:inbuffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:inbuffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:209:insend_to_redis'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-codec-json-3.1.1/lib/logstash/codecs/json.rb:69:inencode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:inblock in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:74:intime'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:68:intime'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:inencode'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-redis-5.0.0/lib/logstash/outputs/redis.rb:123:inreceive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inblock in multi_receive'", "org/jruby/RubyArray.java:1987:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:104:inmulti_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:inmulti_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:304:inblock in start_workers'"]}the redis:
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions