ERR Connecting error publishing events (retrying)

Hi. I have a problem when Beats connecting to Logstash:

2017-04-17T14:53:22-05:00 INFO Harvester started for file: /var/elk/logFile.log
2017-04-17T14:53:22-05:00 ERR Connecting error publishing events (retrying): dial tcp **.***.**.**:5044: getsockopt: connection refused
2017-04-17T14:53:23-05:00 ERR Connecting error publishing events (retrying): dial tcp **.***.**.**:5044: getsockopt: connection refused

I checked Logstash and it worked fine when it was reading files in local directory. I also ran telnet command:

# telnet localhost 5044
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

And it's unclear for me if Logstash works as expected or not. Or it's Beats problem. Any ideas?
I tried to forward logs from Beats to Elasticsearch and it worked good.
Providing filebeat.yml file


- input_type: log

    - /var/elk/logFile.log

registry_file: /var/lib/filebeat/registry


  hosts: ["myhost:5044"]

    certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

Not sure it would make a difference, but any reason not to specify the config as:

<   ssl:
<     certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
>   ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

Is Logstash using a certificate that is valid vs that CA?

Actually there is no difference with that formatting.

My logstash.config input is

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/usr/share/logstash/certs/logstash-forwarder.crt"
    ssl_key => "/usr/share/logstash/certs/logstash-forwarder.key"

I just copied /usr/share/logstash/certs/logstash-forwarder.crt to another server with Filebeat to directory /etc/pki/tls/certs/

The issue is in certificates. Is this correct command to generate them?
openssl req -x509 -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt

And this is from lgos:

ERR Connecting error publishing events (retrying): x509: certificate is valid for "ABC", not "myhost"

Sounds like the certificate being used on the Logstash server is not valid for the hostname you're running filebeat on. Maybe you want to add an alternative via -subj?

Recreated certificate - works good now.

This topic was automatically closed after 21 days. New replies are no longer allowed.