Lots to read through, but the fundamental issue that was being tracked there appears to be different than the issue I'm having. Similar? definitely! I'm using pubkey encryption so each client doesn't have it's own private, just uses my private CA to verify the logstash server certificate is valid.jolson wrote:The setup looks super healthy, check out this post that I found: https://github.com/elastic/logstash-for ... issues/293
The theory is that if a single host is connecting with an invalid cert, it could force disconnects on other hosts. If this happened frequently enough, it could overwhelm Logstash. I don't think that's the case here, but it's worth knowing about.
On the lumberjack input no I'm not. The only thing I have going through json is input from ossec. But that was just a test setup nothing is actually using that input rule, it's also listening on a different socket.jolson wrote:Are you using codec => json in your Logstash input? Could you attempt to remove it and see if that makes a difference?
lumberjack {
port => 5000
type => logs
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
Ok email inbound in 3...2....1.........jolson wrote:If the above doesn't help, please send an email to [email protected] and reference this thread - I'll pick the ticket up and we can troubleshoot from there. It's very interesting to me that a particular log could cause logstash to spin, but I suppose I have seen similar problems before. Case in point: https://github.com/logstash-plugins/log ... /issues/15 (they don't seem to be addressing the issue as quickly as I'd hoped).
Jesse
