version:
auditbeat version 7.8.0 (arm64), libbeat 7.8.0 [f79387d32717d79f689d94fda1ec80b2cf285d30 built 2020-06-14 18:12:56 +0000 UTC]
Debian 10
Aug 04 16:37:51 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:51.317+0200 ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: write tcp 10.12.74.73:56506->163.172.103.120:5001: write: connection reset by peer
Aug 04 16:37:51 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:51.318+0200 INFO [publisher] pipeline/retry.go:221 retryer: send unwait signal to consumer
Aug 04 16:37:51 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:51.318+0200 INFO [publisher] pipeline/retry.go:225 done
Aug 04 16:37:52 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:52.818+0200 ERROR [publisher_pipeline_output] pipeline/output.go:181 failed to publish events: write tcp 10.12.74.73:56506->ip:porty: write: connection reset by peer
Aug 04 16:37:52 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:52.818+0200 INFO [publisher_pipeline_output] pipeline/output.go:144 Connecting to backoff(async(tcp://ip:port))
Aug 04 16:37:52 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:52.818+0200 INFO [publisher] pipeline/retry.go:221 retryer: send unwait signal to consumer
Aug 04 16:37:52 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:52.818+0200 INFO [publisher] pipeline/retry.go:225 done
Aug 04 16:37:52 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:37:52.833+0200 INFO [publisher_pipeline_output] pipeline/output.go:152 Connection to backoff(async(tcp://ip:port)) established
Aug 04 16:38:12 scw-optimistic-austin auditbeat[11004]: 2020-08-04T16:38:12.026+0200 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":14530,"time":{"ms":83}},"total":{"ticks":25930,"time":{"ms":170},"value":25930},"user":{"ticks":11400,"time":{"ms":87}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":8},"info":{"ephemeral_id":"c0589760-fd38-4788-9f94-b9ff18c5a246","uptime":{"ms":19890110}},"memstats":{"gc_next":11872400,"memory_alloc":6076776,"memory_total":283949728,"rss":8192},"runtime":{"goroutines":18}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":1,"batches":2,"failed":1,"total":2},"read":{"bytes":6},"write":{"bytes":534,"errors":1}},"pipeline":{"clients":1,"events":{"active":0,"published":1,"retry":2,"total":1},"queue":{"acked":1}}},"metricbeat":{"system":{"login":{"events":1,"success":1}}},"system":{"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}}}}
And events from this host are not added to ES.
Other hosts with same configuration and same debian 10 are ok.
Any idea to investigate ?
wtmp seems okay because last (command) output is ok.
Auditbeat system module with login dataset.