Can't connect to Logstash port 5044 from Filebeat

aloalo2242 · October 29, 2020, 3:15am

Hi all,

This is my config in /etc/logstash/conf.d/01-logstash.conf from ELK Server.

input {
beats {
port => 5044
}
}

filter {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:? %{SSH_INVALID_USER:message}"
]
}
patterns_dir => "/etc/logstash/patterns/sshd"
named_captures_only => true
remove_tag => ["_grokparsefailure"]
break_on_match => true
add_tag => [ "SSH", "SSH_INVALID_USER" ]
add_field => { "event_type" => "SSH_INVALID_USER" }
overwrite => "message"
}
}

Grok Filter for SSH Failed Password

filter{
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:? %{SSH_FAILED_PASSWORD:message}"
]
}
patterns_dir => "/etc/logstash/patterns/sshd"
named_captures_only => true
remove_tag => ["_grokparsefailure"]
break_on_match => true
add_tag => [ "SSH", "SSH_FAILED_PASSWORD" ]
add_field => { "event_type" => "SSH_FAILED_PASSWORD" }
overwrite => "message"
}
}

filter {

Grok Filter for SSH Password Accepted
grok {
  match => {
    "message" => [
      "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:? %{SSH_ACCEPTED_PASSWORD}"
    ]
  }
  patterns_dir => "/etc/logstash/patterns/sshd"
  named_captures_only => true
  remove_tag => ["_grokparsefailure"]
  break_on_match => true
  add_tag => [ "SSH", "SSH_ACCEPTED_PASSWORD" ]
  add_field => { "event_type" => "SSH_ACCEPTED_PASSWORD" }
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

When I use netstat, port 5044 isnt Listen although I've opend in both firewalld and iptables.
So I can't connect from client(filebeat) to Logstash server

filebeat test output
logstash: 192.168.0.1:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.0.1
    dial up... ERROR dial tcp 192.168.0.1:5044: connect: connection refused

Please help me
Thanks

system · November 26, 2020, 3:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.