Docker logstash trying to connect to despite

I have a docker logstash configured as such:

input {
  tcp {
    port => 5000

output {
  elasticsearch {
    hosts => [""]


I would expect logstash to connect to and not http://elasticsearch:9200/


Reproducible 100% of the time, I am getting this error:

[2023-08-18T06:11:35,099][INFO ][logstash.licensechecker.licensereader] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elasticsearch:9200/]}}
[2023-08-18T06:11:35,409][INFO ][logstash.licensechecker.licensereader] Failed to perform request {:message=>"elasticsearch: Name or service not known", :exception=>Manticore::ResolutionFailure, :cause=> elasticsearch: Name or service not known}
[2023-08-18T06:11:35,415][WARN ][logstash.licensechecker.licensereader] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://elasticsearch:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://elasticsearch:9200/][Manticore::ResolutionFailure] elasticsearch: Name or service not known"}
[2023-08-18T06:11:35,599][INFO ][logstash.licensechecker.licensereader] Failed to perform request {:message=>"elasticsearch", :exception=>Manticore::ResolutionFailure, :cause=> elasticsearch}

I am sure logstash is picking up the correct configuration, because after this error, few lines after, it does connect to my expected destination.


Why would logstash still trying to connect to localhost even if I configured a custom host?


  • run into the same issue, and found a couple of articles suggesting that it's from logstash x-pack monitoring which is on by default, see here: It's about disabling the license checking.

    The solution that worked for me is entering:

    xpack.monitoring.enabled: false

    in logstash.yml (in my container it's under /usr/share/logstash/config/logstash.yml).