ELK集群安装 xpack后 logstash input elasticsearch 配置异常问题记录

logstash版本 6.7

在logstash.yml中新增了 X-Pack Monitoring相关配置以后

output中配置如下

output {
  elasticsearch {
    action => "index"
    hosts => ["https://***001:27920","https://***002:27920"]
    index => "test_info_%{[my_index]}"
    document_type => "%{[@metadata][_type]}"
    document_id => "%{[@metadata][_id]}"
    template_name => "test_template"
    ssl => true
    ssl_certificate_verification => true
    cacert => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"
    user => "logstash_admin"
    password => "********"
  }
}

采集日志，正常运行没有问题！

因为考虑使用logstash迁移es历史数据，input中(错误)配置写法如下

input {
  elasticsearch {
    hosts => [ "https://***001:27920", "https://***002:27920"]
    index => "test_data"
    query => '{"query": {"match": {"policy_no":"*******"} } }'
    size =>1000
    scroll =>"1m"
    slices =>5
    docinfo => true
    ssl => true
    user => "logstash_admin"
    password => "******"
    ca_file => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"
  }
}

logstash启动异常如下

 Error: Failed to open TCP connection to https:0 (initialize: name or service not known)
  Exception: Faraday::ConnectionFailed
  Stack: org/jruby/ext/socket/RubyTCPSocket.java:138:in `initialize'

修改input配置如下可用：

input {
  elasticsearch {
    hosts => [****001:27920","****002:27920"]
    index => "test_data"
    query => '{"query": {"match": {"policy_no":"**************"} } }'
    size =>1000
    scroll =>"1m"
    slices =>5
    docinfo => true
    ssl => true
    user => "logstash_admin"
    password => "**********"
    ca_file => "/usr/local/logstash-6.7.0/config/certs/elastic-stack-ca.pem"
  }
}