Can not run Logstash on my server

zenimagine · May 19, 2019, 4:21pm

I have 2 servers (Ubuntu 18.04) :

monitoring.example.com with ELK (ELK server)
www.example.com with my Drupal site and Filebeat (Client server)

I generated an SSL certificate on ELK and sent it to the client server.

My configuration does not work. Why ?

On the Client server (Filebeat) :
https://pastebin.com/C2cz6RVa

On the ELK server (Logstash) :
https://pastebin.com/Bnz0bbMr

ON ELK :

Elasticsearch

ubuntu@monitoring-example-com:~$ curl -v http://localhost:9200
* Rebuilt URL to: http://localhost:9200/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
> GET / HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 517
< 
{
  "name" : "monitoring-example-com",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Evr7J-FJSWW7JBnZqWAfKg",
  "version" : {
    "number" : "7.0.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "e4efvb5",
    "build_date" : "2019-04-29T12:56:03.145736Z",
    "build_snapshot" : false,
    "lucene_version" : "8.0.0",
    "minimum_wire_compatibility_version" : "6.7.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact

Kibana

ubuntu@monitoring-example-com:~$ curl -v http://localhost:5601
* Rebuilt URL to: http://localhost:5601/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5601 (#0)
> GET / HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< location: /app/kibana
< kbn-name: kibana
< kbn-xpack-sig: c84b5f8679c25c04ce5r61b0d3b45afe
< content-type: text/html; charset=utf-8
< cache-control: no-cache
< content-length: 0
< connection: close
< Date: Sat, 18 May 2019 15:27:15 GMT
< 
* Closing connection 0

Logstash

ubuntu@monitoring-example-com:~$ curl -v http://localhost:5044
* Rebuilt URL to: http://localhost:5044/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5044 (#0)
> GET / HTTP/1.1
> Host: localhost:5044
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Badger · May 19, 2019, 9:59pm

What makes you think it does not work?
You should anchor your grok patterns to start of line with ^ if you can

zenimagine · May 19, 2019, 10:04pm

This is an error message :

ubuntu@monitoring-example-com:~$ curl -v http://localhost:5044
- Rebuilt URL to: http://localhost:5044/
- Trying 127.0.0.1...
- TCP_NODELAY set
- Connected to localhost (127.0.0.1) port 5044 (#0)
GET / HTTP/1.1
Host: localhost:5044
User-Agent: curl/7.58.0
Accept: /
- Recv failure: Connection reset by peer
- stopped the pause stream!
- Closing connection 0
  curl: (56) Recv failure: Connection reset by peer
I took the following configuration :

Badger · May 19, 2019, 10:33pm

That is expected if you try to talk HTTP to a beats input. In the logstash log you are probably getting

io.netty.handler.codec.DecoderException: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 82

The beats input does not speak HTTP, it uses the lumberjack protocol.

When you start filebeat does it open a connection to logstash?

zenimagine · May 19, 2019, 10:58pm

Logstash does not get the logs if I start Filebeat. How can I verify that the connection is open?

Port 5044 is open.

Badger · May 19, 2019, 11:17pm

Restart filebeat and a few seconds later run "netstat -an | grep 5044" at both ends.

zenimagine · May 19, 2019, 11:25pm

on ELK server :

ubuntu@monitoring-example-com:~$ netstat -an | grep 5044
tcp6       0      0 :::5044                 :::*                    LISTEN

,

ubuntu@monitoring-example-com:~$ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK
[2019-05-20T01:28:46,536][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

On client server

ubuntu@www-example-com ~ $ sudo filebeat setup
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

Badger · May 19, 2019, 11:40pm

When you restart filebeat, does 'netstat -an | grep 5044' show a connection, or a SYN_SENT, or something else, or nothing?

zenimagine · May 19, 2019, 11:46pm

It does not show anything

ubuntu@www-examle-com ~ $ netstat -an | grep 5044
ubuntu@www-example-com ~ $

system · June 16, 2019, 11:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.