Connection error between filebeat server and elasticsearch server: EOF error

A3TH3RIUS · June 18, 2018, 8:06am

hi everyone,

I'm trying to set up two communicating servers, one having elasticsearch and one with Filebeat ...
The problem is that I can not get the logs on my elasticsearch server and in the Filebeat log file I get the following error:

root@servername:/# tail -f /{log path}/filebeat/filebeat
2018-06-18T09:56:17.004+0200    INFO    [publish]       pipeline/retry.go:151     done
2018-06-18T09:57:17.056+0200    ERROR   pipeline/output.go:74   Failed to connect: Get http://192.168.XX.XXX:5044: EOF
2018-06-18T09:57:17.057+0200    INFO    [publish]       pipeline/retry.go:172   retryer: send unwait-signal to consumer
2018-06-18T09:57:17.057+0200    INFO    [publish]       pipeline/retry.go:174     done
2018-06-18T09:57:17.057+0200    INFO    [publish]       pipeline/retry.go:149   retryer: send wait signal to consumer
2018-06-18T09:57:17.057+0200    INFO    [publish]       pipeline/retry.go:151     done

I give you my configuration files to know if I made a mistake:

#=========================== Filebeat inputs =============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    #Centralisation
     -  /{log path}/clients/1xx.x.x.x/XXXX.log
     -  /{log path}/clients/1xx.x.x.x/XXXXX.log

# 192.168.XX.X
     -  /{log path}/clients/xx2.1xx.XX.X/XXXX.log
     -  /{log path}/clients/xx2.1xx.XX.X/XXXXX.log

 exclude_files: ['.gz$']


#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${my path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false


#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["{IP@ elasticsearch server}:5044"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

and here is my elasticsearch configuration :

# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: graylog
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
path.logs: /var/log/cxxxxx/
#

# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: IP@ Elasticsearch server
#
# Set a custom port for HTTP:
#
http.port: 9200
#

Thank you in advance for your help.

Christian_Dahlqvist · June 18, 2018, 8:17am

Elasticsearch uses port 9200 by default, not 5044.

A3TH3RIUS · June 18, 2018, 8:21am

Yes, I know but the port 9200 of my elasticsearch is used by a graylog ...
So I configured another port for this connection.

Christian_Dahlqvist · June 18, 2018, 8:25am

Filebeat will send bulk requests to port 5044 and it looks like Elasticsearch is listening to 9200. If you have something listening to this port (Graylog?) which can accept that format I guess it should work. I do however have no experience with Graylog, so don't know if that is correct or not.

A3TH3RIUS · June 18, 2018, 8:31am

ok, I will try this configuration and I'll let you know

A3TH3RIUS · June 18, 2018, 8:43am

Now i get a new error in my filebeat log file :

ERROR pipeline/output.go:74 Failed to connect: Get http://IP@:9200: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

Sorry but i can't formate correctly this error text

A3TH3RIUS · June 18, 2018, 2:41pm

I found the solution to my error...
Indeed, the error was caused because i connected filebeat with elasticsearch while i had to make a connection with a graylog service on the same server as elasticsearch.
I specify that my solution only works in my particular configuration.

Thanks for your help.

system · July 16, 2018, 2:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.