Comment 2 for bug 1423755
Revision history for this message
| Jesse Pretorius (jesse-pretorius) wrote Re: logstash stops processing logs in 9.0.6 | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Matt Dorn Can you only remove the filters which use the multiline codec and see if that improves things? If the behavior is no different then can you try increasing the number of workers as well (ie implement both changes).
I suspect that the issue really comes down to logstash not being able to process log inputs fast enough as it only has one worker. At this stage we can't do more than one worker because we're using the multiline codec (it doesn't work with more than one worker). If this is the isolated solution then we'll have to consider:
1) Implementing multiple logstash containers (or multiple logstash instances in one container) and using a sticky (ie each host always gets sent to the same back-end) load balancer to spread the load.
2) Implementing logstash log shipping in the rsyslog containers so that the multi-line handling can be distributed to those containers. This does mean that the rsyslog containers would no longer actually be rsyslog containers, but log shipping containers.