k.m.2013
August 23, 2018, 7:42pm
1
Hello!
I am having an error adding a new environment to our ElasticSearch/Redis cluster. This is the error that I am receiving from /var/log/filebeat/filebeat
//ERR Failed to connect: dial tcp x.x.x.x:5044: getsockopt: connection refused
Filebeat.yml configuration
###################### Filebeat Configuration Example #########################
This file is an example configuration file highlighting only the most common
options. The filebeat.full.yml file from the same directory contains all the
supported options with more comments. You can use it as a reference.
You can find the full configuration reference here:
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
Each - is a prospector. Most options can be set at the prospector level, so
you can use different prospectors for various configurations.
Below are the prospector specific configurations.
type: log
Paths that should be crawled and fetched. Glob based paths.
paths:
/var/log/yum.log
/var/log/messages
/var/log/secure
/var/log/audit/audit.log
type: log
/var/ossec/logs/alerts/alerts.log
Exclude lines. A list of regular expressions to match. It drops the lines that are
matching any regular expression from the list.
#exclude_lines: ['Alert']
Include lines. A list of regular expressions to match. It exports the lines that are
matching any regular expression from the list.
#include_lines: ["^ERR", "^WARN"]
Exclude files. A list of regular expressions to match. Filebeat drops the files that
are matching any regular expression from the list. By default, no files are dropped.
exclude_files: [".gz$"]
Optional additional fields. These field can be freely picked
to add additional information to the crawled log files for filtering
#fields:
level: debug
review: 1
Multiline options
Mutiline can be used for log messages spanning multiple lines. This is common
for Java Stack Traces or C-Line Continuation
The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
#multiline .pattern: 'Alert'
Defines if the pattern set under pattern should be negated or not. Default is false.
#multiline .negate: true
Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
that was (not) matched before or after or as long as a pattern is not matched based on negate.
Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
#multiline .match: after
#================================ General =====================================
The name of the shipper that publishes the network data. It can be used to group
all the transactions sent by a single shipper in the web interface.
#name:
The tags of the shipper are included in their own field with each
transaction published.
#tags: ["service-X", "web-tier"]
Optional fields that you can specify to add additional information to the
output.
#fields:
env: staging
#================================ Outputs =====================================
Configure what outputs to use when sending the data collected by the beat.
Multiple outputs may be used.
#-------------------------- Elasticsearch output ------------------------------#output .elasticsearch:
Array of hosts to connect to.
#hosts: ["x.x.x.x:9200"]#template .name: "filebeat"#template .path: "filebeat.template.json"#template .overwrite: false
Optional protocol and basic auth credentials.
#protocol: "https"#username: "elastic"#password: "changeme"
#----------------------------- Logstash output --------------------------------
The Logstash hosts
hosts: ["x.x.x.x:5044"]
Optional SSL. By default is off.
List of root certificates for HTTPS server verifications
#ssl .certificate_authorities: ["/etc/logstash/xxx.crt"]
Certificate for SSL client authentication
#ssl .certificate: "/etc/logstash/xxxx_syslog.crt"
Client Certificate Key
#ssl .key: "/etc/logstash/logstash.pkcs8.key"
#================================ Logging =====================================
Sets log level. The default log level is info.
Available log levels are: critical, error, warning, info, debug
#logging .level: debug
At debug level, you can selectively enable logging only for some components.
To enable all selectors use ["*"]. Examples of other selectors are "beat",
"publish", "service".
#logging .selectors: ["*"]
#filebeat .idle_timeout: 15m
Please always post configuration as preformatted text. What you posted above is nearly unreadable.
//ERR Failed to connect: dial tcp x.x.x.x:5044: getsockopt: connection refused
Is x.x.x.x the address of your Logstash host?
Is Logstash running on that machine?
Is there a beats input with port => 5044?
Is there a firewall blocking the connections?
k.m.2013
August 23, 2018, 8:41pm
3
magnusbaeck:
address of your Logstash host?
Is Logstash running on that
I apologize for the way the configuration file uploaded. The x.x.x.x is the address of our syslog server and that is where Filebeat/Logstash is running. There is a beats configuration file (that logstash.yml refers to).
input {
filter {
output {
The redis nodes are 3 seperate nodes in another VPC (AWS).
k.m.2013
August 23, 2018, 8:42pm
4
Logstash conf
Settings file in YAML
Settings can be specified either in hierarchical form, e.g.:
pipeline:
batch:
size: 125
delay: 5
Or as flat keys:
pipeline.batch.size: 125
pipeline.batch.delay: 5
------------ Node identity ------------
Use a descriptive name for the node:
node.name: test
If omitted the node name will default to the machine's host name
------------ Data path ------------------
Which directory should be used by logstash and its plugins
for any persistent needs. Defaults to LOGSTASH_HOME/data
path.data: /var/lib/logstash
------------ Pipeline Settings --------------
Set the number of workers that will, in parallel, execute the filters+outputs
stage of the pipeline.
This defaults to the number of the host's CPU cores.
pipeline.workers: 2
How many workers should be used per output plugin instance
pipeline.output.workers: 1
How many events to retrieve from inputs before sending to filters+workers
pipeline.batch.size: 125
How long to wait before dispatching an undersized batch to filters+workers
Value is in milliseconds.
pipeline.batch.delay: 5
Force Logstash to exit during shutdown even if there are still inflight
events in memory. By default, logstash will refuse to quit until all
received events have been pushed to the outputs.
WARNING: enabling this can lead to data loss during shutdown
pipeline.unsafe_shutdown: false
------------ Pipeline Configuration Settings --------------
Where to fetch the pipeline configuration for the main pipeline
path.config: /etc/logstash/conf.d/*.conf
Pipeline configuration string for the main pipeline
config.string:
At startup, test if the configuration is valid and exit (dry run)
config.test_and_exit: false
Periodically check if the configuration has changed and reload the pipeline
This can also be triggered manually through the SIGHUP signal
config.reload.automatic: false
How often to check if the pipeline configuration has changed (in seconds)
config.reload.interval: 3s
Show fully compiled configuration as debug log message
NOTE: --log.level must be 'debug'
config.debug: false
When enabled, process escaped characters such as \n and " in strings in the
pipeline configuration files.
config.support_escapes: false
------------ Module Settings ---------------
Define modules here. Modules definitions must be defined as an array.
The simple way to see this is to prepend each name with a -, and keep
all associated variables under the name they are associated with, and
above the next, like this:
modules:
- name: MODULE_NAME
var.PLUGINTYPE1.PLUGINNAME1.KEY1: VALUE
var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE
var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE
var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE
Module variable names must be in the format of
var.PLUGIN_TYPE.PLUGIN_NAME.KEY
modules:
------------ Cloud Settings ---------------
Define Elastic Cloud settings here.
Format of cloud.id is a base64 value e.g. dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy
and it may have an label prefix e.g. staging:dXMtZ...
This will overwrite 'var.elasticsearch.hosts' and 'var.kibana.host'
cloud.id:
Format of cloud.auth is: :
This is optional
If supplied this will overwrite 'var.elasticsearch.username' and 'var.elasticsearch.password'
If supplied this will overwrite 'var.kibana.username' and 'var.kibana.password'
cloud.auth: elastic:
------------ Queuing Settings --------------
Internal queuing model, "memory" for legacy in-memory based queuing and
"persisted" for disk-based acked queueing. Defaults is memory
queue.type: memory
If using queue.type: persisted, the directory path where the data files will be stored.
Default is path.data/queue
path.queue:
If using queue.type: persisted, the page data files size. The queue data consists of
append-only data files separated into pages. Default is 250mb
queue.page_capacity: 250mb
If using queue.type: persisted, the maximum number of unread events in the queue.
Default is 0 (unlimited)
queue.max_events: 0
If using queue.type: persisted, the total capacity of the queue in number of bytes.
If you would like more unacked events to be buffered in Logstash, you can increase the
capacity using this setting. Please make sure your disk drive has capacity greater than
the size specified here. If both max_bytes and max_events are specified, Logstash will pick
whichever criteria is reached first
Default is 1024mb or 1gb
queue.max_bytes: 1024mb
If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint
Default is 1024, 0 for unlimited
queue.checkpoint.acks: 1024
If using queue.type: persisted, the maximum number of written events before forcing a checkpoint
Default is 1024, 0 for unlimited
queue.checkpoint.writes: 1024
If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page
Default is 1000, 0 for no periodic checkpoint.
queue.checkpoint.interval: 1000
------------ Dead-Letter Queue Settings --------------
Flag to turn on dead-letter queue.
dead_letter_queue.enable: false
If using dead_letter_queue.enable: true, the maximum size of each dead letter queue. Entries
will be dropped if they would increase the size of the dead letter queue beyond this setting.
Default is 1024mb
dead_letter_queue.max_bytes: 1024mb
If using dead_letter_queue.enable: true, the directory path where the data files will be stored.
Default is path.data/dead_letter_queue
path.dead_letter_queue:
------------ Metrics Settings --------------
Bind address for the metrics REST endpoint
http.host: "127.0.0.1"
Bind port for the metrics REST endpoint, this option also accept a range
(9600-9700) and logstash will pick up the first available ports.
http.port: 9600-9700
------------ Debugging Settings --------------
Options for log.level:
* fatal
* error
* warn
* info (default)
* debug
* trace
log.level: info
#path .logs: /var/log/logstash
------------ Other Settings --------------
Where to find custom plugins
path.plugins: []
input {
beats {
# Syslog Server - xxxxxx #
host => "x.x.x.x"
port => 5044
}
beats {
# AD Server - xxxxxxxx #
host => "x.x.x.x"
port => 5044
}
}
You can't have two beats plugins listening on the same port. With this configuration Logstash won't start up properly.
magnusbaeck, thanks. This has helped me - some.
I'm having similar problems, not with the two beats plugins but not being able to connect. I can see that localhost is listening on port 5044 but can't connect. For some reason, logstash also opens port 9600 on the localhost however I haven't configured it for that in the conf or yml file.
Apologize in advance if I've strayed from the ES discussion group protocol(s).
@cranky_pants , please open a new thread for your question.
system
October 7, 2018, 8:39am
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.