[2025-03-16T00:07:37,943][INFO ][logstash.outputs.opensearch][main][f636cb73983bcc650332a7ed143a2c1655e1be6017f7947da7fc02b194adad2d] Retrying failed action {:status=>429, :action=>["index", {:_id=>nil, :_index=>"http_server-2025.03.14", :routing=>nil}, {"log"=>{"file"=>{"path"=>"C:/Program Files (x86)/Server/logs/localhost_access_log.log"}}, "event"=>{"hash"=>"c60225b5468e886bff692d09664d5e686b269476", "original"=>"[14/Mar/2025:11:26:10 +0000] 0:0:0:0:0:0:0:1 GET /remote/core.list-plugins HTTP/1.1 7354 200 [http-nio-8080-exec-1] [F2FC4D635FAE927072C1A24B03BD5F55.route1] admin 109ms\r"}, "url"=>{"uripath"=>"/remote/core.list-plugins"}, "@version"=>"1", "source"=>{"address"=>"0:0:0:0:0:0:0:1"}, "nodeRole"=>"http_server", "process"=>{"name"=>"http-nio-8080-exec-1"}, "http"=>{"user"=>"admin", "version"=>"1.1", "referrer"=>"F2FC4D635FAE927072C1A24B03BD5F55.route1", "response"=>{"body"=>{"bytes"=>7354}, "status_code"=>200, "time"=>109}, "request"=>{"method"=>"GET"}}, "message"=>"[14/Mar/2025:11:26:10 +0000] 0:0:0:0:0:0:0:1 GET /remote/core.list-plugins HTTP/1.1 7354 200 [http-nio-8080-exec-1] [F2FC4D635FAE927072C1A24B03BD5F55.route1] admin 109ms\r", "podName"=>"ntt", "type"=>"localhost_access_log", "host"=>{"name"=>"http_sever"}, "partition"=>"ntt0", "@timestamp"=>2025-03-14T11:26:10.000Z, "pr_name"=>"server-po"}], :error=>{"type"=>"cluster_block_exception", "reason"=>"index [http_server-2025.03.14] blocked by: [TOO_MANY_REQUESTS/12/disk usage exceeded flood-stage watermark, index has read-only-allow-delete block];"}}
input {
file {
path => "C:/Program Files (x86)/Server/logs/localhost_access_log.log*"
type => "localhost_access_log"
start_position => "beginning"
ignore_older => 86400 # ignore files older than 24 hours
close_older => 86400 # free the resources
}
file {
path => "C:/Program Files (x86)/Server/logs/orlog.log*"
type => "orlog"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
charset => "ISO-8859-1"
}
start_position => "beginning"
ignore_older => 86400 # ignore files older than 24 hours
close_older => 86400 # free the resources
}
}
filter {
# Process logs of type localhost_access_log
if [type] == "localhost_access_log" {
grok {
match => {
"message" => [
# Pattern 2: Matches structured HTTP logs
"\[%{HAPROXYDATE:[@metadata][timestamp]}\] %{IPORHOST:[source][address]} %{WORD:[http][request][method]} %{URIPATH:[url][uripath]} HTTP/%{NUMBER:[http][version]} (?:-|%{INT:[http][response][body][bytes]:int}) %{INT:[http][response][status_code]:int} \[%{DATA:[process][name]}\] \[(?:-|%{DATA:[http][referrer]})\] (?:-|%{WORD:[http][user]}) %{NUMBER:[http][response][time]:int}ms",
# Pattern 1: Matches logs with timestamp + message
"^\[%{HTTPDATE:[@metadata][timestamp]}\] %{GREEDYDATA:log_message}"
]
}
}
# Convert extracted `[@metadata][timestamp]` to `@timestamp`
date {
match => [ "[@metadata][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ]
timezone => "UTC"
target => "@timestamp"
tag_on_failure => ["_dateparsefailure"]
}
# Debugging: Log any date parsing failures
if "_dateparsefailure" in [tags] {
mutate {
add_field => { "failed_timestamp" => "%{[@metadata][timestamp]}" }
}
}
# Handle Grok failures gracefully
if "_grokparsefailure" in [tags] {
mutate {
add_field => { "log_message_raw" => "%{message}" }
remove_tag => ["_grokparsefailure"]
}
}
}
# Process logs of type orlog
if [type] == "orlog" {
grok {
match => {
"message" => [ "%{TIMESTAMP_ISO8601:[@metadata][timestamp]} %{LOGLEVEL:[log][level]}%{SPACE}%{GREEDYDATA:msg}" ]
}
}
date {
match => ["[@metadata][timestamp]", "ISO8601"]
timezone => "UTC"
target => "@timestamp"
}
}
}
why logstash is reading events which is older than 2 days? I m using opensearch output plugin this is not supported in elastic search forum. Please shed some light.
file in the path C:/Program Files (x86)/Server/logs/localhost_access_log.log
C:/Program Files (x86)/Server/logs/localhost_access_log.2025-03-14.log
C:/Program Files (x86)/Server/logs/localhost_access_log.2025-03-14.log
please advise.