Logstash stalled due to busy or blocked plugin
1,682 views
Skip to first unread message
Jeffrey Arsenault
Nov 2, 2018, 4:00:50 PM11/2/18
to security-onion
Hi all,
I have fresh all-in-one install with no customization and after about 12 hours of running and having everything configured, Logstash will not start. I get the following error in logstash.log:
[ERROR][org.logstash.execution.ShutdownWatcherExt] The shutdown process appears to be stalled due to busy or blocked plugins. Check the logs for more information.
The last warning before it is:
[WARN ] [org.logstash.execution.ShutdownWatcherExt] {"inflight_count"->0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>113, "name"=>"[main}<tcp", "current_call"=>"[...]/vender/bundle/jruby/2.30/gems/logstash-input-tcp-5.0.0-java/lib/logstash/inputs/tcp.rb:180:in 'close'"} and it continues on through several similar errors with tcp.rb and watch.rb.
I've run several successful Security Onion stalls at other organizations without this problem, so I'm stumped.
Attached is my sostat-redacted.
Thanks in advance and for all you've already done for this great application.
Cheers,
Jeff
I have fresh all-in-one install with no customization and after about 12 hours of running and having everything configured, Logstash will not start. I get the following error in logstash.log:
[ERROR][org.logstash.execution.ShutdownWatcherExt] The shutdown process appears to be stalled due to busy or blocked plugins. Check the logs for more information.
The last warning before it is:
[WARN ] [org.logstash.execution.ShutdownWatcherExt] {"inflight_count"->0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>113, "name"=>"[main}<tcp", "current_call"=>"[...]/vender/bundle/jruby/2.30/gems/logstash-input-tcp-5.0.0-java/lib/logstash/inputs/tcp.rb:180:in 'close'"} and it continues on through several similar errors with tcp.rb and watch.rb.
I've run several successful Security Onion stalls at other organizations without this problem, so I'm stumped.
Attached is my sostat-redacted.
Thanks in advance and for all you've already done for this great application.
Cheers,
Jeff
Wes Lambert
Nov 3, 2018, 7:04:34 AM11/3/18
to securit...@googlegroups.com
Hi Jeff,
Typically that message comes from shutdown.
Have you tried doing something like:
sudo docker logs -f so-logstsah
Logtash may not be writing to the log before it crashes, and the above is a way to get info from the container directly on why it might have failed to start.
Please also attach the relevant Logstash log.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Jeffrey Arsenault
Nov 7, 2018, 10:47:41 PM11/7/18
to security-onion
Thank you Wes, that was the command I needed!
Reply all
Reply to author
Forward
0 new messages