Error in Filebeat

AHK · March 18, 2017, 8:10pm

Hello,
I am trying to learn how to install & use ELK Stack on Centos7
I have installed JAVA and every thing according to this link

now on my Server every thing is running fine, and when i test
systemctl status logstash
i got this response
logstash.service - LSB: Starts Logstash as a daemon.
Loaded: loaded (/etc/rc.d/init.d/logstash; bad; vendor preset: disabled)
Active: active (exited) since Sat 2017-03-18 15:55:18 EDT; 7min ago
Docs: man:systemd-sysv-generator(8)

Mar 18 15:55:18 srv.xxx.biz systemd[1]: Starting LSB: Starts Logstash as a daemon....
Mar 18 15:55:18 srv.xxx.biz logstash[5774]: logstash started.
Mar 18 15:55:18 srv.xxx.biz systemd[1]: Started LSB: Starts Logstash as a daemon..

ON client machine i install Filebeat and start service but its not sending LOGS, so when i use this command

[root@srv1 ~]# systemctl status filebeat
● filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2017-03-18 15:56:03 EDT; 8min ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 1586 (filebeat)
CGroup: /system.slice/filebeat.service
└─1586 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml

Mar 18 15:56:03 srv1.xxx.biz systemd[1]: Started filebeat.
Mar 18 15:56:03 srv1.xxx.biz systemd[1]: Starting filebeat...
Mar 18 15:56:03 srv1.xxx.biz /usr/bin/filebeat[1586]: transport.go:125: SSL client failed to connect with: dial tcp xxx.xxx.242.35:5044: getsockopt: connection refused
[root@srv1 ~]#

even i use insecure: true option in config file as bellow

filebeat:
prospectors:
-
paths:
- /var/log/secure
- /var/log/messages
# - /var/log/*.log

  input_type: log

  document_type: syslog

registry_file: /var/lib/filebeat/registry

output:
logstash:
hosts: ["xxx.xxx.242.35:5044"]
bulk_max_size: 1024

tls:
  #certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
  insecure: true

shipper:

logging:
files:
rotateeverybytes: 10485760 # = 10MB

i also follow this link

gist.github.com

https://gist.github.com/andrewkroh/fdc7e5f3f0f0ed63a11c

beats-logstash-tls.md

# Using TLS between Beats and Logstash

![Beats to Logstash over TLS](https://s15.postimg.org/4yn9n2l1n/beats_logstash_tls.png)

The purpose of this document is to help with configuring and troubleshooting
using TLS on the connection between Beats and Logstash.

## Configuration

You must configure TLS on both the client and server to make this work. This

This file has been truncated. show original

and test my connection with this command

curl -v --cacert logstash-forwarder.crt https://xxx.xxx.242.35:5044

on both Server and Client i got this error
Failed connect to xxx.xxx.242.35:5044; Connection refused

when i try to use telnet command from client server
telnet xxx.xxx.242.35 5044
I got this error
telnet: connect to address xxx.xxx.242.35: Connection refused

also when i check in my server sudo netstat -plnt
I see this output
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 4521/node
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4750/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 882/sshd
tcp6 0 0 :::111 :::* LISTEN 795/rpcbind
tcp6 0 0 ::1:9200 :::* LISTEN 4369/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 4369/java
tcp6 0 0 ::1:9300 :::* LISTEN 4369/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 4369/java
tcp6 0 0 :::22 :::* LISTEN 882/sshd

how can i fix this issue...
I try my best from 2 days but no Luck...
Thanks

ruflin · March 20, 2017, 11:33am

There definitively seems to be an issue between with the connection between filebeat and LS. Which versions of Filebeat, Logstash, Elasticsearch are you using?

I strongly recommend you to follow the getting started here as it is up-to-date with all the recent changes: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html

Michael_TRAN · March 20, 2017, 1:17pm

Hello,

I have this error with my filebeat service status too. But when I edit my logstash configuration file, filebeat is working again. Could you check that and tell me if you have the same issue ?

Thanks.
Michael

steffens · March 27, 2017, 5:25pm

Please properly format your posts (It's that unreadable, I just skimmed it). Use the </>-button for logs and configurations.

which Logstash and Filebeat version are you using? Do they match the blog-post versions? In 5.0 the SSL/TLS settings must use the ssl namespace, but you're using tls.

system · April 24, 2017, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.