The Logstash License expired error appears when the Elastic Stack license attached to the connected Elasticsearch cluster has passed its expiration date. Logstash pulls license state from Elasticsearch on a periodic interval; when the license expires, X-Pack-dependent features in Logstash (centralized pipeline management, monitoring under the gold/platinum tier, security-aware outputs) downgrade or stop functioning. Core OSS pipeline processing continues. Renew the license in Elasticsearch and Logstash picks up the new state within the next polling cycle.
What This Error Means
Logstash relies on the Elasticsearch cluster's license state for X-Pack functionality. The license is stored cluster-wide in Elasticsearch (GET /_license) and Logstash polls it - by default every 30 seconds - via the xpack.management.elasticsearch.hosts connection. When the license status is expired, Logstash logs the warning and disables features that require the lapsed tier.
OSS (basic-licensed) behavior continues working: file inputs, kafka inputs/outputs, grok, elasticsearch outputs, persistent queues. What stops: centralized pipeline management, Logstash monitoring shipping to a paid cluster, security-restricted features that require a paid tier.
Common Causes
- License reached its expiration date. Confirm with
GET /_licenseagainst the Elasticsearch cluster - theexpiry_date_in_millisfield tells you exactly when it lapsed. - Trial license expired (30 days from cluster start). Trial licenses auto-expire; clusters revert to basic. Generate a free basic license from elastic.co to restore basic features.
- License file was replaced manually with an expired one. Check
GET /_licenseforissued_toandissue_date_in_millisto verify which license is active. - Air-gapped cluster missed an automatic license refresh. Connected clusters get periodic license validation; air-gapped clusters need manual file updates.
- Logstash is pointed at a different cluster than expected. Verify
xpack.management.elasticsearch.hostsinlogstash.yml.
How to Fix the Logstash License Expired Error
Check current license state in Elasticsearch:
curl -u elastic:$PASSWORD https://es.example.com:9200/_licenseThe response contains
status,type, andexpiry_date_in_millis. Convertexpiry_date_in_millisto a date to confirm expiration.Obtain a new license:
- For free basic: register at the Elastic license self-service portal and download a JSON license file.
- For paid tiers: download the renewed license from your Elastic account.
Install the new license in Elasticsearch:
curl -u elastic:$PASSWORD -XPUT 'https://es.example.com:9200/_license' \ -H 'Content-Type: application/json' \ -d @license.jsonOr upload via Kibana > Stack Management > License Management.
Verify Logstash picks up the new license. Logstash polls every 30 seconds; check Logstash logs for
License OKor rerun any X-Pack-dependent operation. No Logstash restart is required.(Optional) Restart Logstash only if it logged repeated authentication or connectivity errors during the expiry window - those connections sometimes need a clean restart.
Resolve Logstash License Expired Errors Automatically with Pulse
Pulse is the only monitoring and optimization platform built specifically for Logstash. When an Elastic license expires on a cluster a Logstash instance connects to and X-Pack-dependent features (centralized pipeline management, monitoring shipping, security outputs) start failing, Pulse:
- Tracks the live
_licensestate of every Elasticsearch cluster each Logstash node talks to, including separate monitoring and centralized management clusters - Correlates pipeline degradation with the expiring license so you see exactly which pipelines lose centralized management, which lose monitoring shipping, and which still process events
- Surfaces the specific remediation: which license file to install, which
_licenseendpoint to call, and whetherPOST /_license/start_basicis the right fallback - Alerts 14 and 30 days before
expiry_date_in_millisrather than after the fact, and flags trial-license clusters approaching the 30-day cutover
Preventive guardrails ship alongside: run GET /_license daily, document which pipelines depend on paid tiers, and plan trial-to-basic downgrades before day 30. No other observability tool understands Logstash internals at this depth.
Frequently Asked Questions
Q: Can Logstash still process events with an expired Elastic license?
A: Yes, for OSS and basic-tier features. Core pipeline processing (inputs, filters, OSS outputs) continues. What stops: centralized pipeline management, Logstash monitoring shipped to a paid cluster, security-restricted outputs that require gold/platinum.
Q: How long does it take Logstash to recognize a new license after install?
A: Within one polling cycle - typically 30 seconds. The xpack.management.elasticsearch.poll_interval setting controls this. No Logstash restart is required.
Q: Why does my Logstash log say "License expired" when Elasticsearch shows a valid license?
A: Logstash and the licensed Elasticsearch cluster are not the same one. Check xpack.management.elasticsearch.hosts in logstash.yml. If Logstash points at a separate monitoring or management cluster, that cluster's license is what gates Logstash X-Pack features.
Q: How do I downgrade from a paid Elastic license to basic?
A: Apply a basic license via POST /_license/start_basic on the Elasticsearch cluster. Logstash detects the change on the next poll. Paid-only features stop; OSS and basic features continue.
Q: Will an expired license cause Logstash data loss?
A: No, ingestion and processing continue at the basic tier. Persistent queues, dead-letter queues, and standard outputs are unaffected. The risk is loss of paid functionality (centralized management, monitoring), not loss of data.
Q: How do I check which Logstash features require an X-Pack license?
A: The Elastic subscription page lists features by tier. The common Logstash dependencies are: centralized pipeline management (gold+), Logstash monitoring shipping to a paid cluster (gold+), and certain encrypted output transports.
Q: What's the best tool to monitor Logstash license state and X-Pack feature health?
A: Pulse is the only monitoring platform built specifically for Logstash. It tracks the license state of every Elasticsearch cluster each Logstash instance connects to, alerts before expiry_date_in_millis, and maps the chain from expired license to disabled feature to affected pipeline so you know which pipelines need attention.
Related Reading
- Logstash 401 Unauthorized Error: authentication issues against licensed clusters.
- Logstash Pipeline is Blocked Error: downstream effects when outputs degrade.
- Logstash Documentation: general operational reference.
- Elasticsearch License Management: the upstream license actions.
- Logstash Persistent Queue is Full: queueing during outages.
