I have a problem that is driving me crazy. I set up a POC for ELK and configured filebeat to send our logs via loghost:9200, the same port that logstash is listening to. That was fine for the test but now I want to use grok and start redirecting filebeat to loghost:5044 and then to loghost:9200. Easy to do configuration-wise, but it's not working as I think it should.
:5044 is open on my loghost and I can telnet in from another host or even from the loghost itself to post test messages but when it comes to logs, nothing really gets sent. I do see some messages like "User-Agent: Go-http-client/1.1" or "GET / HTTP/1.1" in Kibana, but the filebeat log from any host always returns
ERR Connecting error publishing events (retrying): Get http://loghost:5044: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
Changing /etc/filebeat/filebeat.yml to use port :9200 makes everything right in the world again.
Seeing that this happens from my loghost directly, i’m pretty confident that it’s a configuration issue on my part but can’t think of what i'm not seeing.
As an aside, I have a few other exposed ports on my loghost that I use for remote syslogging and that seems to be working well. Pointing filebeat to one of those ports gives me the same errors.
firewalld is down, iptables is flushed, selinux is disabled, ulimit is unlimited.
For these examples, loghost is the name of my ELK server.
Most likely there is something wrong with your .conf file that when filebeat sends its logs, you receive a connection refused. You can run a netstat and see what else is binded to that port, but more than likely, there is something wrong with either your filebeat.yml, or configure issues (probably fat fingured) in your .conf file.
Upon further review, the reason 5044 is not answering your filebeat is because there is something wrong with your logstash.conf (or whatever you named it too) file. The reason why 9200 works is because elasticsearch is receiving and is not filtering/parsing the data such as logstash does. You can telnet to 5044 all day, but if you try to send data to logstash, it'll refuse the connection because the logstash conf file has been written incorrectly.
your input should look like for starters, you have to specify beats as the input method...
Can you share your beats configuration. beats->logstash is not HTTP. The fact the error message complains about HTTP makes me wonder if you configured the elasticsearch output to send to logstash.
Thanks for the suggestion about installing the beats plugin on loghost. Did that, restarted logstash, and added beats to /etc/logstash/conf.d/filebeat.conf, but no dice.
Sample from /var/log/filebeat/filebeat log on my test host:
2017-09-06T10:36:12-04:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=127
2017-09-06T10:36:42-04:00 INFO No non-zero metrics in the last 30s
2017-09-06T10:36:45-04:00 ERR Connecting error publishing events (retrying): Get http://loghost:5044: read tcp testmachine.ip.addr:51835->loghost.ip.addr:5044: read: connection reset by peer
2017-09-06T10:37:12-04:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=127
2017-09-06T10:37:42-04:00 INFO No non-zero metrics in the last 30s
2017-09-06T10:37:45-04:00 ERR Connecting error publishing events (retrying): Get http://loghost:5044: read tcp testmachine.ip.addr:54609->loghost.ip.addr:5044: read: connection reset by peer
2017-09-06T10:38:12-04:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=127
2017-09-06T10:38:42-04:00 INFO No non-zero metrics in the last 30s
2017-09-06T10:38:45-04:00 ERR Connecting error publishing events (retrying): Get http://loghost:5044: read tcp testmachine.ip.addr:37162->loghost.ip.addr:5044: read: connection reset by peer
2017-09-06T10:39:12-04:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=127
As a test, I'm reloading with http.cors disabled to see what happens but this is how I have my /etc/elasticsearch/elasticsearch.yml configured pre cors change:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.