I am getting these error messages and I have the most basic configuration of Logstash/FileBeat.

ERR Connecting error publishing events (retrying): Get http://10.200.21.90:5044: read tcp 10.200.23.167:44340->10.200.21.90:5044: read: connection reset by peer2017-01-20T14:02:06-06:00 INFO No non-zero metrics in the last 30s
2017-01-20T14:02:14-06:00 ERR Connecting error publishing events (retrying): Get http://10.200.21.90:5044: read tcp 10.200.23.167:44352->10.200.21.90:5044: read: connection reset by peer
2017-01-20T14:02:36-06:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=124Preformatted text

FileBeat.yml:

###################### Filebeat Configuration Example #########################"

This file is an example configuration file highlighting only the most common
options. The filebeat.full.yml file from the same directory contains all the
supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:
https://www.elastic.co/guide/en/beats/filebeat/index.html

=========================== Filebeat prospectors =============================

filebeat.prospectors:

Each - is a prospector. Most options can be set at the prospector level, so
you can use different prospectors for various configurations.
Below are the prospector specific configurations.

• input_type: log

  Paths that should be crawled and fetched. Glob based paths.

  paths:

  • /var/log/*.log
    #- c:\programdata\elasticsearch\logs*

  Exclude lines. A list of regular expressions to match. It drops the lines that are

  matching any regular expression from the list.

  #exclude_lines: ["^DBG"]

  Include lines. A list of regular expressions to match. It exports the lines that are

  matching any regular expression from the list.

  #include_lines: ["^ERR", "^WARN"]

  Exclude files. A list of regular expressions to match. Filebeat drops the files that

  are matching any regular expression from the list. By default, no files are dropped.

  #exclude_files: [".gz$"]

  Optional additional fields. These field can be freely picked

  to add additional information to the crawled log files for filtering

  #fields:

  level: debug

  review: 1

  Multiline options

  Mutiline can be used for log messages spanning multiple lines. This is common

  for Java Stack Traces or C-Line Continuation

  The regexp Pattern that has to be matched. The example pattern matches all lines starting with [

  #multiline.pattern: ^[

  Defines if the pattern set under pattern should be negated or not. Default is false.

  #multiline.negate: false

  Match can be set to "after" or "before". It is used to define if lines should be append to a pattern

  that was (not) matched before or after or as long as a pattern is not matched based on negate.

  Note: After is the equivalent to previous and before is the equivalent to to next in Logstash

  #multiline.match: after

================================ General =====================================

The name of the shipper that publishes the network data. It can be used to group
all the transactions sent by a single shipper in the web interface.
name:

The tags of the shipper are included in their own field with each
transaction published.
tags: ["service-X", "web-tier"]

Optional fields that you can specify to add additional information to the
output.
fields:
env: staging

================================ Outputs =====================================

Configure what outputs to use when sending the data collected by the beat.
Multiple outputs may be used.

-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

#hosts: ["localhost:9200"]

Optional protocol and basic auth credentials.

#protocol: "https"
#username: "elastic"
#password: "Welcome1#"

----------------------------- Logstash output --------------------------------
output.logstash:
The Logstash hosts
hosts: ["10.200.21.90:5044"]

Optional SSL. By default is off.
List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication
ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key
ssl.key: "/etc/pki/client/cert.key"

================================ Logging =====================================

Sets log level. The default log level is info.
Available log levels are: critical, error, warning, info, debug
logging.level: debug

At debug level, you can selectively enable logging only for some components.
To enable all selectors use [""]. Examples of other selectors are "beat",
"publish", "service".
logging.selectors: [""]

Logstash config:

input {
beats {
port => 5044
}
file {
path => "/var/log/*.log"
}
}
output {
elasticsearch {
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
hosts => ["10.200.21.141:9200","10.200.20.218:9200","10.200.66.132:9200"]
user => logstash_internal
password => changeme
}
}

Logstash.yml:

Settings file in YAML

Settings can be specified either in hierarchical form, e.g.:

pipeline:

batch:

size: 125

delay: 5

Or as flat keys:

pipeline.batch.size: 125

pipeline.batch.delay: 5

------------ Node identity ------------

Use a descriptive name for the node:

node.name: aws-drces5ls01

If omitted the node name will default to the machine's host name

------------ Data path ------------------

Which directory should be used by logstash and its plugins

for any persistent needs. Defaults to LOGSTASH_HOME/data

#path.data: /var/lib/logstash

------------ Pipeline Settings --------------

Set the number of workers that will, in parallel, execute the filters+outputs

stage of the pipeline.

This defaults to the number of the host's CPU cores.

pipeline.workers: 2

How many workers should be used per output plugin instance

pipeline.output.workers: 1

How many events to retrieve from inputs before sending to filters+workers

pipeline.batch.size: 125

How long to wait before dispatching an undersized batch to filters+workers

Value is in milliseconds.

pipeline.batch.delay: 5

Force Logstash to exit during shutdown even if there are still inflight

events in memory. By default, logstash will refuse to quit until all

received events have been pushed to the outputs.

WARNING: enabling this can lead to data loss during shutdown

pipeline.unsafe_shutdown: false

------------ Pipeline Configuration Settings --------------

Where to fetch the pipeline configuration for the main pipeline

path.config: /etc/logstash/conf.d

Pipeline configuration string for the main pipeline

config.string:

At startup, test if the configuration is valid and exit (dry run)

config.test_and_exit: false

Periodically check if the configuration has changed and reload the pipeline

This can also be triggered manually through the SIGHUP signal

config.reload.automatic: false

How often to check if the pipeline configuration has changed (in seconds)

config.reload.interval: 3

Show fully compiled configuration as debug log message

NOTE: --log.level must be 'debug'

config.debug: false

------------ Queuing Settings --------------

Internal queuing model, "memory" for legacy in-memory based queuing and

"persisted" for disk-based acked queueing. Defaults is memory

queue.type: memory

If using queue.type: persisted, the directory path where the data files will be stored.

Default is path.data/queue

path.queue:

If using queue.type: persisted, the page data files size. The queue data consists of

append-only data files separated into pages. Default is 250mb

queue.page_capacity: 250mb

If using queue.type: persisted, the maximum number of unread events in the queue.

Default is 0 (unlimited)

queue.max_events: 0

If using queue.type: persisted, the total capacity of the queue in number of bytes.

If you would like more unacked events to be buffered in Logstash, you can increase the

capacity using this setting. Please make sure your disk drive has capacity greater than

the size specified here. If both max_bytes and max_events are specified, Logstash will pick

whichever criteria is reached first

Default is 1024mb or 1gb

queue.max_bytes: 1024mb

If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint

Default is 1024, 0 for unlimited

queue.checkpoint.acks: 1024

If using queue.type: persisted, the maximum number of written events before forcing a checkpoint

Default is 1024, 0 for unlimited

queue.checkpoint.writes: 1024

If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page

Default is 1000, 0 for no periodic checkpoint.

queue.checkpoint.interval: 1000

------------ Metrics Settings --------------

Bind address for the metrics REST endpoint

http.host: "10.200.21.90"

Bind port for the metrics REST endpoint, this option also accept a range

(9600-9700) and logstash will pick up the first available ports.

http.port: 9600-9700

------------ Debugging Settings --------------

Options for log.level:

* fatal

* error

* warn

* info (default)

* debug

* trace

log.level: info

path.logs: /var/log/logstash

------------ Other Settings --------------

Where to find custom plugins

path.plugins: []

~

I have no idea how to remove the auto-formatting. Sorry for the goofyness.

which filebeat and logstash version are you using? The error says the connection has been closed while reading (filebeat waiting for ACK from logstash).

This topic was automatically closed after 21 days. New replies are no longer allowed.