About two days ago I started looking into ELK and decided to try it out on a few machines.
My set-up is the following: 1 E.L.K server, 2 Client servers and 1 Laptop to access Kibana.
I have followed the official guide of installation on Ubuntu 14.04 and reached the part where I start configuring my client servers to send out the logs to the logstash.
I have created the following filebeat.yml stored in /etc/filebeat/
filebeat: prospectors: - paths: - /var/log/auth.log - /var/log/syslog # - /var/log/*.log input_type: log document_type: syslog registry_file: /var/lib/filebeat/registry output: logstash: hosts: ["192.168.71.104:5044"] bulk_max_size: 1024 tls: certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"] shipper: logging: files: rotateeverybytes: 10485760 # = 10MB
I think it's fine and should work out, but when I try to restart the service by executing
sudo service filebeat restart it gives me the following message:
* Restarting Sends log files to Logstash or directly to Elasticsearch. filebeat 2016/03/18 10:28:35.803779 transport.go:125: ERR SSL client failed to connect with: dial tcp 192.168.71.104:5044: getsockopt: connection refused
First I thought something was wrong with the certificate that I created on the E.L.K server and transferred over, but I triple checked it and even created new ones and it still gave me that error.
What is going on? My logstash should be properly configured over at the E.L.K server, if necessary I can show the config files. There's 3.
I also tried to troubleshoot a little further and noticed that the logstash service on the E.L.K server was not running. I tried to restart it and it successfully started, but after a while I checked the status again it told me that filebeat was not running. Shouldn't it be up at all times?
Hopefully someone can help me out, thanks.