Logstash input empty from elasticsearch

Hi,
I’m new to elk, so don’t blame me :slight_smile: , freshly installed opendistro with security and alerting plugins. I can’t make logstash to get input from elasticsearch. I have a simple pipeline and already tested it. Below you can find test of pipeline. Logs show no errors just this :

 Apr 28 20:57:38 elastichost logstash[29225]: [2020-04-28T20:57:38,249][DEBUG][logstash.config.source.local.configpathloader] Reading config file {:config_file=>"/etc/logstash/conf.d/test.cfg"}
Apr 28 20:57:38 elastichost logstash[29225]: [2020-04-28T20:57:38,251][DEBUG][logstash.agent           ] Converging pipelines state {:actions_count=>0}
Apr 28 20:57:38 elastichost logstash[29225]: [2020-04-28T20:57:38,548][DEBUG][logstash.outputs.file    ][test] Starting flush cycle

**`test of pipeline:`**
    usr/share/logstash/bin/logstash  --config.test_and_exit -f /etc/logstash/conf.d/test.cfg --path.settings /etc/logstash
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2020-04-28T20:36:49,102][DEBUG][logstash.modules.scaffold] Found module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2020-04-28T20:36:49,117][DEBUG][logstash.plugins.registry] Adding plugin to the registry {:name=>"fb_apache", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0x74fbee59 @directory="/usr/share/logstash/modules/fb_apache/configuration", @module_name="fb_apache", @kibana_version_parts=["6", "0", "0"]>}
[2020-04-28T20:36:49,119][DEBUG][logstash.modules.scaffold] Found module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2020-04-28T20:36:49,119][DEBUG][logstash.plugins.registry] Adding plugin to the registry {:name=>"netflow", :type=>:modules, :class=>#<LogStash::Modules::Scaffold:0x747e0a31 @directory="/usr/share/logstash/modules/netflow/configuration", @module_name="netflow", @kibana_version_parts=["6", "0", "0"]>}
[2020-04-28T20:36:49,642][DEBUG][logstash.runner          ] -------- Logstash Settings (* means modified) ---------
[2020-04-28T20:36:49,642][DEBUG][logstash.runner          ] node.name: "elastichost"
[2020-04-28T20:36:49,642][DEBUG][logstash.runner          ] *path.config: "/etc/logstash/conf.d/test.cfg"
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] *path.data: "/var/lib/logstash" (default: "/usr/share/logstash/data")
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] modules.cli: []
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] modules: []
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] modules_list: []
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] modules_variable_list: []
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] modules_setup: false
[2020-04-28T20:36:49,643][DEBUG][logstash.runner          ] *config.test_and_exit: true (default: false)
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] *config.reload.automatic: true (default: false)
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] config.reload.interval: 3000000000
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] config.support_escapes: false
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] config.field_reference.parser: "STRICT"
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] metric.collect: true
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] pipeline.id: "main"
[2020-04-28T20:36:49,644][DEBUG][logstash.runner          ] pipeline.system: false
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.workers: 4
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.batch.size: 125
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.batch.delay: 50
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.unsafe_shutdown: false
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.java_execution: true
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.reloadable: true
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] pipeline.plugin_classloaders: false
[2020-04-28T20:36:49,645][DEBUG][logstash.runner          ] path.plugins: []
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] config.debug: false
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] *log.level: "debug" (default: "info")
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] version: false
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] help: false
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] log.format: "plain"
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] http.host: "127.0.0.1"
[2020-04-28T20:36:49,646][DEBUG][logstash.runner          ] http.port: 9600..9700
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] http.environment: "production"
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.type: "memory"
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.drain: false
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.page_capacity: 67108864
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.max_bytes: 1073741824
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.max_events: 0
[2020-04-28T20:36:49,647][DEBUG][logstash.runner          ] queue.checkpoint.acks: 1024
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] queue.checkpoint.writes: 1024
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] queue.checkpoint.interval: 1000
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] queue.checkpoint.retry: false
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] dead_letter_queue.enable: false
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] dead_letter_queue.max_bytes: 1073741824
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] slowlog.threshold.warn: -1
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] slowlog.threshold.info: -1
[2020-04-28T20:36:49,648][DEBUG][logstash.runner          ] slowlog.threshold.debug: -1
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] slowlog.threshold.trace: -1
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] keystore.classname: "org.logstash.secret.store.backend.JavaKeyStore"
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] *keystore.file: "/etc/logstash/logstash.keystore" (default: "/usr/share/logstash/config/logstash.keystore")
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] *path.queue: "/var/lib/logstash/queue" (default: "/usr/share/logstash/data/queue")
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] *path.dead_letter_queue: "/var/lib/logstash/dead_letter_queue" (default: "/usr/share/logstash/data/dead_letter_queue")
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] *path.settings: "/etc/logstash" (default: "/usr/share/logstash/config")
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] *path.logs: "/var/log/logstash" (default: "/usr/share/logstash/logs")
[2020-04-28T20:36:49,649][DEBUG][logstash.runner          ] --------------- Logstash Settings -------------------
[2020-04-28T20:36:49,699][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-04-28T20:36:49,752][DEBUG][logstash.config.source.local.configpathloader] Skipping the following files while reading config since they don't match the specified glob pattern {:files=>["/etc/logstash/conf.d/csv_parameters.cfg", "/etc/logstash/conf.d/csv_uc_name_cat.cfg", "/etc/logstash/conf.d/filebeat.cfg", "/etc/logstash/conf.d/filebeat.conf", "/etc/logstash/conf.d/filebeat_for_WF_old.cfg", "/etc/logstash/conf.d/jmxconf_inst1", "/etc/logstash/conf.d/jmxconf_inst1.cfg", "/etc/logstash/conf.d/load_tr3.cfg", "/etc/logstash/conf.d/logstash_elastic_2.cfg", "/etc/logstash/conf.d/logstash_elastic_3.cfg", "/etc/logstash/conf.d/logstash_jdbc_bp.cfg", "/etc/logstash/conf.d/logstash_jdbc_task.cfg", "/etc/logstash/conf.d/mongodb_nodes_locks.cfg", "/etc/logstash/conf.d/mongodb_nodes_metrics.cfg", "/etc/logstash/conf.d/mongodb_nodes_status.cfg", "/etc/logstash/conf.d/move_raw.cfg", "/etc/logstash/conf.d/mssql_log_1.cfg", "/etc/logstash/conf.d/mysql_error_inst1.cfg", "/etc/logstash/conf.d/mysql_schedule_inst1.cfg", "/etc/logstash/conf.d/mysql_test_inst1.cfg", "/etc/logstash/conf.d/mysql_test_inst2.cfg", "/etc/logstash/conf.d/mysql_transaction_inst1.cfg", "/etc/logstash/conf.d/postgresql_log_1.cfg", "/etc/logstash/conf.d/reindex_logs_w_uc.cfg", "/etc/logstash/conf.d/reindex_ml_w_uc.cfg", "/etc/logstash/conf.d/reindex_tr_w_uc.cfg", "/etc/logstash/conf.d/reindex_w_sla_4.cfg", "/etc/logstash/conf.d/script", "/etc/logstash/conf.d/sql_query", "/etc/logstash/conf.d/templates", "/etc/logstash/conf.d/transform1.cfg", "/etc/logstash/conf.d/transform11.cfg", "/etc/logstash/conf.d/transform1_1.cfg", "/etc/logstash/conf.d/transform2.cfg", "/etc/logstash/conf.d/transform2_filter_by_time(old).cfg"]}
[2020-04-28T20:36:49,756][DEBUG][logstash.config.source.local.configpathloader] Reading config file {:config_file=>"/etc/logstash/conf.d/test.cfg"}
[2020-04-28T20:36:50,528][DEBUG][org.logstash.secret.store.SecretStoreFactory] Attempting to exists or secret store with implementation: org.logstash.secret.store.backend.JavaKeyStore
[2020-04-28T20:36:51,158][DEBUG][org.reflections.Reflections] going to scan these urls:
jar:file:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar!/
[2020-04-28T20:36:51,209][INFO ][org.reflections.Reflections] Reflections took 49 ms to scan 1 urls, producing 20 keys and 40 values 
[2020-04-28T20:36:51,218][DEBUG][org.reflections.Reflections] expanded subtype co.elastic.logstash.api.Plugin -> co.elastic.logstash.api.Codec
[2020-04-28T20:36:51,218][DEBUG][org.reflections.Reflections] expanded subtype co.elastic.logstash.api.Plugin -> co.elastic.logstash.api.Input
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype org.jruby.RubyBasicObject -> org.jruby.RubyObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype java.lang.Cloneable -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype org.jruby.runtime.builtin.IRubyObject -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype java.io.Serializable -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype java.lang.Comparable -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype org.jruby.runtime.marshal.CoreObjectType -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,219][DEBUG][org.reflections.Reflections] expanded subtype org.jruby.runtime.builtin.InstanceVariables -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,220][DEBUG][org.reflections.Reflections] expanded subtype org.jruby.runtime.builtin.InternalVariables -> org.jruby.RubyBasicObject
[2020-04-28T20:36:51,220][DEBUG][org.reflections.Reflections] expanded subtype co.elastic.logstash.api.Plugin -> co.elastic.logstash.api.Output
[2020-04-28T20:36:51,220][DEBUG][org.reflections.Reflections] expanded subtype co.elastic.logstash.api.Metric -> co.elastic.logstash.api.NamespacedMetric
[2020-04-28T20:36:51,220][DEBUG][org.reflections.Reflections] expanded subtype java.security.SecureClassLoader -> java.net.URLClassLoader
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype java.lang.ClassLoader -> java.security.SecureClassLoader
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype java.io.Closeable -> java.net.URLClassLoader
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype java.lang.AutoCloseable -> java.io.Closeable
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype java.lang.Comparable -> java.lang.Enum
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype java.io.Serializable -> java.lang.Enum
[2020-04-28T20:36:51,221][DEBUG][org.reflections.Reflections] expanded subtype co.elastic.logstash.api.Plugin -> co.elastic.logstash.api.Filter
[2020-04-28T20:36:51,291][DEBUG][logstash.plugins.registry] On demand adding plugin to the registry {:name=>"elasticsearch", :type=>"input", :class=>LogStash::Inputs::Elasticsearch}
[2020-04-28T20:36:51,491][DEBUG][logstash.plugins.registry] On demand adding plugin to the registry {:name=>"json", :type=>"codec", :class=>LogStash::Codecs::JSON}
[2020-04-28T20:36:51,516][DEBUG][logstash.codecs.json     ] config LogStash::Codecs::JSON/@id = "json_c9bd5693-d864-400f-85dc-7d0347ed72a3"
[2020-04-28T20:36:51,517][DEBUG][logstash.codecs.json     ] config LogStash::Codecs::JSON/@enable_metric = true
[2020-04-28T20:36:51,517][DEBUG][logstash.codecs.json     ] config LogStash::Codecs::JSON/@charset = "UTF-8"
[2020-04-28T20:36:51,542][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@password = <password>
[2020-04-28T20:36:51,542][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@ca_file = "/etc/pki/client/es.pem"
[2020-04-28T20:36:51,542][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@hosts = ["elastichost"]
[2020-04-28T20:36:51,543][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@query = "{\"query\":{\"bool\":{\"must_not\":[{\"bool\": {\"filter\": {\"exists\": {\"field\": \"move\"}}}}]}}}"
[2020-04-28T20:36:51,543][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@index = "raw_data*"
[2020-04-28T20:36:51,543][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@id = "11f3a83bd681aded794e16e65aaa30b10ab90970db9f5437890f45933c08737d"
[2020-04-28T20:36:51,543][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@ssl = true
[2020-04-28T20:36:51,543][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@user = "admin"
[2020-04-28T20:36:51,544][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@enable_metric = true
[2020-04-28T20:36:51,557][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@codec = <LogStash::Codecs::JSON id=>"json_c9bd5693-d864-400f-85dc-7d0347ed72a3", enable_metric=>true, charset=>"UTF-8">
[2020-04-28T20:36:51,557][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@add_field = {}
[2020-04-28T20:36:51,558][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@size = 1000
[2020-04-28T20:36:51,558][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@scroll = "1m"
[2020-04-28T20:36:51,558][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@docinfo = false
[2020-04-28T20:36:51,558][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@docinfo_target = "@metadata"
[2020-04-28T20:36:51,559][DEBUG][logstash.inputs.elasticsearch] config LogStash::Inputs::Elasticsearch/@docinfo_fields = ["_index", "_type", "_id"]
[2020-04-28T20:36:51,590][DEBUG][logstash.plugins.registry] On demand adding plugin to the registry {:name=>"file", :type=>"output", :class=>LogStash::Outputs::File}
[2020-04-28T20:36:51,609][DEBUG][logstash.plugins.registry] On demand adding plugin to the registry {:name=>"json_lines", :type=>"codec", :class=>LogStash::Codecs::JSONLines}
[2020-04-28T20:36:51,619][DEBUG][logstash.codecs.jsonlines] config LogStash::Codecs::JSONLines/@id = "json_lines_367078fe-883c-41a0-919f-f706b91b9ec1"
[2020-04-28T20:36:51,619][DEBUG][logstash.codecs.jsonlines] config LogStash::Codecs::JSONLines/@enable_metric = true
[2020-04-28T20:36:51,620][DEBUG][logstash.codecs.jsonlines] config LogStash::Codecs::JSONLines/@charset = "UTF-8"
[2020-04-28T20:36:51,620][DEBUG][logstash.codecs.jsonlines] config LogStash::Codecs::JSONLines/@delimiter = "\n"
[2020-04-28T20:36:51,628][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@path = "/var/log/logstash/logstash.txt"
[2020-04-28T20:36:51,628][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@id = "d0c89a1a24caf8dcd98425424d7467b70b3b5f8ce21b372816fa2339749e6485"
[2020-04-28T20:36:51,628][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@enable_metric = true
[2020-04-28T20:36:51,629][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@codec = <LogStash::Codecs::JSONLines id=>"json_lines_367078fe-883c-41a0-919f-f706b91b9ec1", enable_metric=>true, charset=>"UTF-8", delimiter=>"\n">
[2020-04-28T20:36:51,629][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@workers = 1
[2020-04-28T20:36:51,630][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@flush_interval = 2
[2020-04-28T20:36:51,630][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@gzip = false
[2020-04-28T20:36:51,630][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@filename_failure = "_filepath_failures"
[2020-04-28T20:36:51,630][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@create_if_deleted = true
[2020-04-28T20:36:51,630][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@dir_mode = -1
[2020-04-28T20:36:51,631][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@file_mode = -1
[2020-04-28T20:36:51,631][DEBUG][logstash.outputs.file    ] config LogStash::Outputs::File/@write_behavior = "append"
Configuration OK
[2020-04-28T20:36:51,659][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

pipeline intself:
input {
elasticsearch {
hosts => [“https://elastichost:9200”]
index => “rpa_raw_data*”
query => ‘{“query”:{“bool”:{“must_not”:[{“bool”: {“filter”: {“exists”: {“field”: “move”}}}}]}}}’
schedule =>“*/1 * * * *”
size => 500
scroll => “5m”
user => “user”
password => “password”
ssl => true
}
}
output {
file {
path => “/var/log/logstash/logstash.txt”
}
}

how can check anything else?

@rasulmmdv Did you get this resolved? If not which version of odfe are you running?