Auditbeat Connection reset by peer

Hi all,
I use ELK 6.2.3 version with beat plugin 5.0.10.
I'm trying to setup the auditbeat 6.2.4 on remote Linux Machine but from the audit log I have these errors:

2018-05-02T09:43:03.884+0200 ERROR logstash/async.go:235 Failed to publish events caused by: write tcp> write: connection reset by peer
2018-05-02T09:43:04.885+0200 ERROR pipeline/output.go:92 Failed to publish events: write tcp> write: connection reset by peer

a) The Logstash config is:

port => 5004

add_tag => "AUDIT-LNX"

if "audit" in [tags]
hosts => "localhost:9200"
index => "audit_linux_g2k-%{+YYYY.MM.dd}"

b) The sockets 5004 is running:

root@ELK:/etc/logstash/conf.d# netstat -an | grep 5004
tcp6 0 0 :::5004 :::* LISTEN

c) The logstash section in the auditbeat.yml is:


Boolean flag to enable or disable the output module.

enabled: true

The Logstash hosts

hosts: [""]

In the past I have had the same problem with filebat 6.2.3, but with "filebeat.publish_async: true" option I was able to solve this problem....
I have try to set up a "auditbeat.publish_async: true" but doesn't change nothing.

Any idea?

Thanking in advance.


There's a new version of the logsatsh beats input plugin available. Can you please try updating to the latest version. Here's the changelog.