Error after upgrading to ELK 5


(Gurkan) #1

Hi,

I've upgraded to ELK 5 so now everything is in the 5 version but after the upgrade ELK stopped recieving logs
when I put this command
curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'

I'm getting a hit but on nothing shows up on kibana
I checked my logs and it says
ERR Connecting error publishing events (retrying): dial tcp 192.168.154.100:5044: getsockopt: connection refused

My config for beats is like this:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

#pfSense
#tcp syslog stream via 5140
input {
  tcp {
    type => "syslog"
    port => 5140
  }
}
#udp syslogs tream via 5140
input {
  udp {
    type => "syslog"
    port => 5140
  }
}

and my filebeat.yml looks like this

filebeat:
  prospectors:
    -
      paths:
      - /var/log/secure
      - /var/log/messages
      document_type: syslog
    -
      paths:
      - /var/log/yum.log
      document_type: yumlog

    - 
      paths:
      - /var/log/nginx/access.log
      document_type: nginx-access

    -
      paths:
      - /var/log/httpd/access_log
      document_type: apache-access

    -
      paths:
      - /var/log/cron
      document_type: cronlog

    -
      paths:
      - /var/log/audit/audit.log
      document_type: auditlog

    -
      paths:
      - /var/log/maillog
      document_type: maillog



  registry_file: /var/lib/filebeat/registry

It was working fine before but now it doesn't and I just don't get why?


(Magnus B├Ąck) #2

Does Logstash start up properly? Have you looked in the Logstash log? Does it actually listen on port 5044?


(Gurkan) #3

@magnusbaeck Thank for the reply,
Yes it does I checked with systemctl status logstash and it says active.
I also looked at the log files of logstash but I don't know how I can see wich port it is listening to however it worked before I updated it.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.