Logstash Error: Detected corrupt queue file - Common Causes & Fixes

Pulse - Elasticsearch Operations Done Right

On this page

Brief Explanation Common Causes Troubleshooting and Resolution Steps Best Practices Frequently Asked Questions

Brief Explanation

The "Detected corrupt queue file" error in Logstash indicates that the persistent queue file used for storing events has become corrupted. This error can occur during Logstash startup or while processing events.

Common Causes

  1. Unexpected shutdown or crash of Logstash
  2. Disk failures or storage issues
  3. File system corruption
  4. Incompatible changes in Logstash versions
  5. Insufficient disk space

Troubleshooting and Resolution Steps

  1. Backup the corrupt queue file: Before attempting any fixes, create a backup of the corrupt queue file to prevent further data loss.

  2. Check disk space: Ensure there's sufficient disk space in the directory where queue files are stored.

  3. Verify file permissions: Make sure Logstash has read and write permissions for the queue directory.

  4. Attempt queue recovery:

    • Stop Logstash
    • Navigate to the queue directory (usually in path.data)
    • Run the queue recovery tool: 
      bin/logstash --path.data PATH_TO_DATA_DIRECTORY --dead-letter-queue.restore-corrupt-data

  5. If recovery fails, delete the corrupt queue file:

    • Stop Logstash
    • Delete the corrupt queue file (usually named queue.page.XXX)
    • Restart Logstash

  6. Update Logstash: If the issue persists, try updating to the latest version of Logstash, as the problem may have been addressed in a newer release.

  7. Check for disk or file system issues: Run disk health checks and file system checks to ensure there are no underlying storage problems.

Best Practices

  1. Regularly backup Logstash data and configuration files
  2. Monitor disk space and set up alerts for low disk space
  3. Implement proper shutdown procedures to avoid abrupt terminations
  4. Use Logstash monitoring features to detect and alert on queue-related issues
  5. Consider using multiple smaller queue files instead of a single large one

Frequently Asked Questions

Q: Can I recover data from a corrupt queue file?
A: In many cases, yes. Logstash provides a recovery tool that can attempt to restore data from corrupt queue files. However, success is not guaranteed, and some data loss may occur.

Q: How can I prevent queue file corruption?
A: Implement proper shutdown procedures, ensure sufficient disk space, use reliable storage, and keep Logstash updated. Regular backups can also help mitigate the impact of corruption.

Q: Will deleting the corrupt queue file cause data loss?
A: Yes, deleting the corrupt queue file will result in the loss of any events stored in that file. Always attempt recovery first and only delete as a last resort.

Q: How often should I back up Logstash queue files?
A: The frequency depends on your data volume and criticality. For high-volume, critical systems, consider daily backups. For less critical systems, weekly backups might suffice.

Q: Can changing Logstash versions cause queue file corruption?
A: While rare, significant version changes can sometimes lead to incompatibilities in queue file formats. Always test version upgrades in a non-production environment first.

Pulse - Elasticsearch Operations Done Right

Stop googling errors and staring at dashboards.

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.