Hi all,
I use ELK 6.2.3 version with beat plugin 5.0.10.
I'm trying to setup the auditbeat 6.2.4 on remote Linux Machine but from the audit log I have these errors:
2018-05-02T09:43:03.884+0200 ERROR logstash/async.go:235 Failed to publish events caused by: write tcp 10.10.20.128:31994->10.10.28.140:5004: write: connection reset by peer
2018-05-02T09:43:04.885+0200 ERROR pipeline/output.go:92 Failed to publish events: write tcp 10.10.20.128:31994->10.10.28.140:5004: write: connection reset by peer
a) The Logstash config is:
input
{
beats
{
port => 5004
}
}
filter
{
mutate
{
add_tag => "AUDIT-LNX"
}
}
output
{
if "audit" in [tags]
{
elasticsearch
{
hosts => "localhost:9200"
index => "audit_linux_g2k-%{+YYYY.MM.dd}"
}
}
b) The sockets 5004 is running:
root@ELK:/etc/logstash/conf.d# netstat -an | grep 5004
tcp6 0 0 :::5004 :::* LISTEN
c) The logstash section in the auditbeat.yml is:
output.logstash:
Boolean flag to enable or disable the output module.
enabled: true
The Logstash hosts
hosts: ["10.10.28.140:5004"]
In the past I have had the same problem with filebat 6.2.3, but with "filebeat.publish_async: true" option I was able to solve this problem....
I have try to set up a "auditbeat.publish_async: true" but doesn't change nothing.
Any idea?
Thanking in advance.
Giuliano