When I upgraded the flowconf.yml file was replaced so I had to relicense the instance. Now I can’t get the system to ingest flows.
Here is the output of systemctl status flowcoll.service
● flowcoll.service - ElastiFlow Unified Collector
Loaded: loaded (/etc/systemd/system/flowcoll.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-12-05 15:18:15 UTC; 8min ago
Docs: https://docs.elastiflow.com
Main PID: 837 (flowcoll)
Tasks: 10 (limit: 14218)
Memory: 1002.0M
CPU: 19.774s
CGroup: /system.slice/flowcoll.service
└─837 /usr/share/elastiflow/bin/flowcoll --config /etc/elastiflow/flowcoll.yml
Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:52.279Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:"flow processor to output writer is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicat>
Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:52.606Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:26:52 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:26:52.608Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:26:55 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:55.907Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:"UDP Server to Flow Decoder is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicate tha>
Dec 05 15:26:57 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:26:57.609Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:26:57 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:26:57.612Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:27:02 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:27:02.613Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
Dec 05 15:27:02 elastiflow flowcoll[837]: {“level”:“error”,“ts”:“2024-12-05T15:27:02.616Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:148”,“msg”:“failed to bootstrap elasticsearch. retrying…”,“code”:“elasticsearch/bootstrap-failure”,“reason”>
Dec 05 15:27:07 elastiflow flowcoll[837]: {“level”:“info”,“ts”:“2024-12-05T15:27:07.617Z”,“logger”:“flowcoll.bootstrapper[elasticsearch]”,“caller”:“elasticsearch/bootstrap.go:163”,“msg”:“index template insert process is enabled”}
logs show 90% full and the VM guest isn’t stressed so I assume this is license related
{“level”:“info”,“ts”:“2024-12-05T15:29:12.280Z”,“logger”:“flowcoll”,“caller”:“metrics/queuegauge.go:88”,“msg”:“flow processor to output writer is 90% full. This is normal when the collector is starting. If it persists for hours, it may indicate that you are at your license threshold or your system is under-resourced.”}
Thanks in advance for any advice.