Upgraded to 7.5.2 and now can't ingest flows or start without errors

When I upgraded the flowconf.yml file was replaced so I had to relicense the instance. Now I can’t get the system to ingest flows.

Here is the output of systemctl status flowcoll.service

● flowcoll.service - ElastiFlow Unified Collector
Loaded: loaded (/etc/systemd/system/flowcoll.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-12-05 15:18:15 UTC; 8min ago
Docs: https://docs.elastiflow.com
Main PID: 837 (flowcoll)
Tasks: 10 (limit: 14218)
Memory: 1002.0M
CPU: 19.774s
CGroup: /system.slice/flowcoll.service
└─837 /usr/share/elastiflow/bin/flowcoll --config /etc/elastiflow/flowcoll.yml

Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:52.279Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:"flow processor to output writer is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicat>
Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:52.606Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:26:52.608Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:26:55 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:55.907Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:"UDP Server to Flow Decoder is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicate tha>
Dec 05 15:26:57 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:57.609Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:26:57 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:26:57.612Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:27:02 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:27:02.613Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:27:02 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:27:02.616Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:27:07 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:27:07.617Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}

logs show 90% full and the VM guest isn’t stressed so I assume this is license related

{“level”:“info”,“ts”:“2024-12-05T15:29:12.280Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:“flow processor to output writer is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicate that you are at your license threshold or your system is under-resourced.”}

Thanks in advance for any advice.

Is this a native install? deb or rpm?

When you upgrade the original flowcoll.yml file is typically preserved, so if you had to re-license because it was a fresh, default flowcoll.yml then did you update all the other settings?

I would check the flowcoll.log immediately after startup to see if there is an identifying error there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.