ELK集群安装 x-pack后 logstash input elasticsearch 配置异常问题记录

logstash版本 6.7

在logstash.yml中新增了 X-Pack Monitoring相关配置以后

output中配置如下

output {
  elasticsearch {
    action => "index"
    hosts => ["https://***001:27920","https://***002:27920"]
    index => "test_info_%{[my_index]}"
    document_type => "%{[@metadata][_type]}"
    document_id => "%{[@metadata][_id]}"
    template_name => "test_template"
    ssl => true
    ssl_certificate_verification => true
    cacert => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"
    user => "logstash_admin"
    password => "********"
  }
}

采集日志，正常运行没有问题！

因为考虑使用logstash迁移es历史数据，input中(错误)配置写法如下

input {
  elasticsearch {
    hosts => [ "https://***001:27920", "https://***002:27920"]
    index => "test_data"
    query => '{"query": {"match": {"policy_no":"*******"} } }'
    size =>1000
    scroll =>"1m"
    slices =>5
    docinfo => true
    ssl => true
    user => "logstash_admin"
    password => "******"
    ca_file => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"
  }
}

logstash启动异常如下

?

1 2 3

Error: Failed to open TCP connection to https:0 (initialize: name or service not known)  Exception: Faraday::ConnectionFailed  Stack: org/jruby/ext/socket/RubyTCPSocket.java:138:in `initialize'

修改input配置如下可用：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

input {   elasticsearch {     hosts => [****001:27920","****002:27920"]     index => "test_data"     query => '{"query": {"match": {"policy_no":"**************"} } }'     size =>1000     scroll =>"1m"     slices =>5     docinfo => true     ssl => true     user => "logstash_admin"     password => "**********"     ca_file => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"   } }