ERR Connecting error publishing events (retrying)

Steve_1 · April 17, 2017, 8:05pm

Hi. I have a problem when Beats connecting to Logstash:

2017-04-17T14:53:22-05:00 INFO Harvester started for file: /var/elk/logFile.log
2017-04-17T14:53:22-05:00 ERR Connecting error publishing events (retrying): dial tcp **.***.**.**:5044: getsockopt: connection refused
2017-04-17T14:53:23-05:00 ERR Connecting error publishing events (retrying): dial tcp **.***.**.**:5044: getsockopt: connection refused

I checked Logstash and it worked fine when it was reading files in local directory. I also ran telnet command:

# telnet localhost 5044
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

And it's unclear for me if Logstash works as expected or not. Or it's Beats problem. Any ideas?
I tried to forward logs from Beats to Elasticsearch and it worked good.
Providing filebeat.yml file

filebeat.prospectors:

- input_type: log

  paths:
    - /var/elk/logFile.log

registry_file: /var/lib/filebeat/registry

output.logstash:

  hosts: ["myhost:5044"]

  ssl:
    certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

giuseppe · April 17, 2017, 8:31pm

Not sure it would make a difference, but any reason not to specify the config as:

<   ssl:
<     certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
---
>   ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

Is Logstash using a certificate that is valid vs that CA?

Steve_1 · April 17, 2017, 9:38pm

Actually there is no difference with that formatting.

My logstash.config input is

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/usr/share/logstash/certs/logstash-forwarder.crt"
    ssl_key => "/usr/share/logstash/certs/logstash-forwarder.key"
  }
}

I just copied /usr/share/logstash/certs/logstash-forwarder.crt to another server with Filebeat to directory /etc/pki/tls/certs/

The issue is in certificates. Is this correct command to generate them?
openssl req -x509 -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt

And this is from lgos:

ERR Connecting error publishing events (retrying): x509: certificate is valid for "ABC", not "myhost"

giuseppe · April 18, 2017, 11:06pm

Sounds like the certificate being used on the Logstash server is not valid for the hostname you're running filebeat on. Maybe you want to add an alternative via -subj?

Steve_1 · April 19, 2017, 12:13am

Recreated certificate - works good now.

system · May 8, 2017, 8:18pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
ERR Connecting error publishing events (retrying): dial tcp x.x.x.x:5044: getsockopt: connection refused Logstash	4	1873	October 5, 2018
Connecting error publishing events Beats	4	1670	July 5, 2017
Error After updating to ELK 5 Logstash	3	595	June 7, 2017
ERR Connecting error publishing events (retrying) - help me Beats filebeat	2	1207	July 27, 2017
ERR Connecting error publishing events (retrying): dial tcp 127.0.0.1:5044: getsockopt: connection refused Beats filebeat	2	1062	September 24, 2019

ERR Connecting error publishing events (retrying)

Related topics