CANNOT push logs to LOGSTASH from FILEBEAT

Sundaramoorthy_Anand · July 2, 2019, 12:05pm

My filebeat is in the client server but in same domain and ELK stack in another server with their default ports.

elasticsearch.yml

xpack.security.enabled : false
discovery.type: single-node
network.host: 16.XXX.YYY.ZZZ
http.port: 9200

logstash.yml

 http.host: "16.202.14.116"
 http.port: 9600-9700

logstash.conf

input {
        beats {
                type => beats
                port =>5044
                host => "16.XXX.YYY.ZZZ"
        }
}

filter {
grok {
    match => ["message", '%{IPV4:remoteIP}\s+%{IPV4:localIP}\s+%{INT:throughtputData:int}\s+%{INT}\s+%{IPV4:remoteHostIP}\s+%{DATA:httpProtocol}\s+%{DATA:remoteLogicalUserName}\s+%{DATA:requestMethod}\s+%{DATA:port}\s+%{DATA:queryString}\s+%{DATA:requestMethod2}\s+%{DATA:requestURI}\s+%{DATA:requestProtocol2}\s+%{INT:requestStatusCode}\s+%{DATA:userSessionID}\s+\[%{HTTPDATE:logTimeStamp}\]\s+%{DATA:remoteUser}\s+%{DATA:requestedURL}\s+%{DATA:serverName}\s+%{INT:timeTakenInMilliSec:int}\s+%{NUMBER:timeTakenInSec}\s+default\s+task-%{INT:taskID:int}\s+"%{DATA:authorization}"\s+"%{DATA:contentType}"\s+"%{DATA:referer}"\s+"%{DATA:userAgent}"\s+"%{DATA:cookie}"\s+"%{DATA:setCookie}"'         ]
  }

        if "_grokparsefailure" in [tags]{
                drop {}
          }

        if "_groktimeout" in [tags]{
                drop {}
          }

        date {
                match => ["logTimeStamp" ,"dd/MMM/yyyy:HH:mm:ss Z" ]
        }
        mutate{
        remove_field => ["message","host","input","type","@version","prospector","beat","garbageData","offset"]
        }
}

output {
  elasticsearch {
    hosts => ["16.XXX.YYY.ZZZ:9200"]
    index => "mdcp-contact-%{+YYYY.MM.dd}"
 }
}

filebeat.yml ( in remote server)

output.logstash:
  hosts: ["16.xxx.yyy.zzz:5044"]

When I try file beat with same server where ELK is installed, with same config, its working as expected . when running from remote server (but in same intranet/domain), it gives the following error:

2019-07-02T11:49:53.923Z        INFO    pipeline/output.go:95   Connecting to backoff(async(tcp://16.202.14.116:5044))
2019-07-02T11:50:22.902Z        INFO    [monitoring]    log/log.go:141  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":46}},"total":{"ticks":260,"time":{"ms":273},"value":260},"user":{"ticks":220,"time":{"ms":227}}},"info":{"ephemeral_id":"7c5d9a0b-e849-4520-a2a7-ddf8da11ffd1","uptime":{"ms":30021}},"memstats":{"gc_next":7921648,"memory_alloc":4541256,"memory_total":11893096,"rss":19337216}},"filebeat":{"events":{"active":1535,"added":1538,"done":3},"harvester":{"open_files":20,"running":20,"started":20}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":1516,"filtered":22,"published":1516,"total":1538}}},"registrar":{"states":{"current":3,"update":3},"writes":{"success":4,"total":4}},"system":{"cpu":{"cores":24},"load":{"1":1.64,"15":0.72,"5":1.22,"norm":{"1":0.0683,"15":0.03,"5":0.0508}}}}}}
2019-07-02T11:50:24.924Z        ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://16.202.14.116:5044)): dial tcp 16.202.14.116:5044: i/o timeout
2019-07-02T11:50:24.924Z        INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://16.202.14.116:5044)) with 1 reconnect attempt(s)
2019-07-02T11:50:52.901Z        INFO    [monitoring]    log/log.go:141  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":50,"time":{"ms":10}},"total":{"ticks":290,"time":{"ms":28},"value":290},"user":{"ticks":240,"time":{"ms":18}}},"info":{"ephemeral_id":"7c5d9a0b-e849-4520-a2a7-ddf8da11ffd1","uptime":{"ms":60021}},"memstats":{"gc_next":7921648,"memory_alloc":4930824,"memory_total":12282664,"rss":86016}},"filebeat":{"harvester":{"open_files":20,"running":20}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":1516,"retry":1516}}},"registrar":{"states":{"current":3}},"system":{"load":{"1":1.57,"15":0.74,"5":1.24,"norm":{"1":0.0654,"15":0.0308,"5":0.0517}}}}}}
2019-07-02T11:50:56.925Z        ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://16.202.14.116:5044)): dial tcp 16.202.14.116:5044: i/o timeout
2019-07-02T11:50:56.925Z        INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://16.202.14.116:5044)) with 2 reconnect attempt(s)
2019-07-02T11:51:22.901Z        INFO    [monitoring]    log/log.go:141  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":60,"time":{"ms":13}},"total":{"ticks":310,"time":{"ms":26},"value":310},"user":{"ticks":250,"time":{"ms":13}}},"info":{"ephemeral_id":"7c5d9a0b-e849-4520-a2a7-ddf8da11ffd1","uptime":{"ms":90021}},"memstats":{"gc_next":7921648,"memory_alloc":5260664,"memory_total":12612504,"rss":53248}},"filebeat":{"harvester":{"open_files":20,"running":20}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":1516,"retry":1516}}},"registrar":{"states":{"current":3}},"system":{"load":{"1":1.59,"15":0.76,"5":1.27,"norm":{"1":0.0663,"15":0.0317,"5":0.0529}}}}}}

Please help on this !

Badger · July 2, 2019, 1:04pm

Either the output.logstash/hosts in filebeat.yml does not match the port and host or the input/beats in logstash.conf, or there is a firewall or other network filter preventing the traffic from flowing.

Sundaramoorthy_Anand · July 10, 2019, 10:16am

As you said, the host IP in input > beats of logstash.conf is wrong and I have changed it.

UPDATED logstash.conf

input {
        beats {
                type => beats
                port => 5044
                host => "16.210.16.191" #host is cross domain
        #logstash is running on 16.202.14.116:9600
        #beats is running on  16.210.16.191:5044
 }
}..rest of the settings are same ...

It results in following error:

[mdm@hc4t05745 logstash-6.4.2]$ [2019-07-10T08:53:47,837][ERROR][logstash.pipeline        ] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:logstashtest
  Plugin: <LogStash::Inputs::Beats host=>"16.210.16.191", id=>"e6eced6b974c415012e9e6a9f76095ea90199ccfb4662663a489e963378edd74", type=>"beats", port=>5044, enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_7b62d108-7d8d-4f38-989e-a3d63371cbaa", enable_metric=>true, charset=>"UTF-8">, ssl=>false, add_hostname=>true, ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, tls_min_version=>1, tls_max_version=>1.2, cipher_suites=>["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], client_inactivity_timeout=>60, executor_threads=>16>
  Error: Cannot assign requested address
  Exception: Java::JavaNet::BindException
  Stack: sun.nio.ch.Net.bind0(Native Method)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:433)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:425)
sun.nio.ch.ServerSocketChannelImpl.bind(sun/nio/ch/ServerSocketChannelImpl.java:223)
io.netty.channel.socket.nio.NioServerSocketChannel.doBind(io/netty/channel/socket/nio/NioServerSocketChannel.java:128)
io.netty.channel.AbstractChannel$AbstractUnsafe.bind(io/netty/channel/AbstractChannel.java:558)
io.netty.channel.DefaultChannelPipeline$HeadContext.bind(io/netty/channel/DefaultChannelPipeline.java:1283)
io.netty.channel.AbstractChannelHandlerContext.invokeBind(io/netty/channel/AbstractChannelHandlerContext.java:501)
io.netty.channel.AbstractChannelHandlerContext.bind(io/netty/channel/AbstractChannelHandlerContext.java:486)
io.netty.channel.DefaultChannelPipeline.bind(io/netty/channel/DefaultChannelPipeline.java:989)
io.netty.channel.AbstractChannel.bind(io/netty/channel/AbstractChannel.java:254)
io.netty.bootstrap.AbstractBootstrap$2.run(io/netty/bootstrap/AbstractBootstrap.java:364)
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(io/netty/util/concurrent/AbstractEventExecutor.java:163)
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(io/netty/util/concurrent/SingleThreadEventExecutor.java:403)
io.netty.channel.nio.NioEventLoop.run(io/netty/channel/nio/NioEventLoop.java:463)
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(io/netty/util/concurrent/SingleThreadEventExecutor.java:858)
io.netty.util.concurrent.FastThreadLocalRunnable.run(io/netty/util/concurrent/FastThreadLocalRunnable.java:30)
java.lang.Thread.run(java/lang/Thread.java:748)
[2019-07-10T08:53:48,841][INFO ][org.logstash.beats.Server] Starting server on port: 5044

Badger · July 10, 2019, 2:00pm

The address in the host option of the beats input has to be an address on the machine where logstash is running. It is the address that the input will bind to, it is not a filter that controls which beats can send events to it.

system · August 7, 2019, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.