Troubleshooting

Quick Diagnosis

# Check container status
docker ps | grep production-pipeline

# Check recent logs
docker logs production-pipeline --tail 50 2>&1 | grep -i error

# Test end-to-end
curl -X POST http://localhost:8080/logs \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $API_TOKEN" \
  -d '{"level": "INFO", "message": "test", "service": "api"}'

Common Issues

HTTP 401/403 errors

Cause: Authentication token missing or invalid

Fix: Check auth configuration:

input:
  http_server:
    address: 0.0.0.0:8080
    # Remove or fix auth for testing
    # basic_auth:
    #   username: ${HTTP_USER}
    #   password: ${HTTP_PASS}

Logs not reaching Elasticsearch

Cause: Elasticsearch down or index issues

# Check ES health
curl -s http://localhost:9200/_cluster/health

# Check index exists
curl -s http://localhost:9200/_cat/indices

Fix: Add retry and fallback:

output:
  fallback:
    - elasticsearch: {urls: ["http://localhost:9200"]}
    - file: {path: "/var/fallback/logs.jsonl"}

PII not being redacted

Cause: Redaction patterns not matching

# Check for PII in output
docker logs production-pipeline --tail 50 2>&1 | grep -E "@|[0-9]{3}-[0-9]{2}-[0-9]{4}"

Fix: Add broader PII patterns:

- mapping: |
    root.message = this.message
      .re_replace_all("[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}", "[EMAIL]")
      .re_replace_all("\\b\\d{3}[-.]?\\d{2}[-.]?\\d{4}\\b", "[SSN]")

High latency under load

Cause: Batching or destination bottleneck

docker stats production-pipeline --no-stream

Fix: Tune batching and add backpressure:

batching:
  count: 500
  period: 5s
  byte_size: 5MB

Still stuck?

Add debug logging: logger: {level: DEBUG}
Check the Complete Pipeline for reference config
Review Filter Severity for reducing volume

Quick Diagnosis​

Common Issues​

HTTP 401/403 errors​

Logs not reaching Elasticsearch​

PII not being redacted​

High latency under load​

Still stuck?​