Error in Filebeat

Hello,
I am trying to learn how to install & use ELK Stack on Centos7
I have installed JAVA and every thing according to this link

now on my Server every thing is running fine, and when i test
systemctl status logstash
i got this response
logstash.service - LSB: Starts Logstash as a daemon.
Loaded: loaded (/etc/rc.d/init.d/logstash; bad; vendor preset: disabled)
Active: active (exited) since Sat 2017-03-18 15:55:18 EDT; 7min ago
Docs: man:systemd-sysv-generator(8)

Mar 18 15:55:18 srv.xxx.biz systemd[1]: Starting LSB: Starts Logstash as a daemon....
Mar 18 15:55:18 srv.xxx.biz logstash[5774]: logstash started.
Mar 18 15:55:18 srv.xxx.biz systemd[1]: Started LSB: Starts Logstash as a daemon..

ON client machine i install Filebeat and start service but its not sending LOGS, so when i use this command

[root@srv1 ~]# systemctl status filebeat
● filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2017-03-18 15:56:03 EDT; 8min ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 1586 (filebeat)
CGroup: /system.slice/filebeat.service
└─1586 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml

Mar 18 15:56:03 srv1.xxx.biz systemd[1]: Started filebeat.
Mar 18 15:56:03 srv1.xxx.biz systemd[1]: Starting filebeat...
Mar 18 15:56:03 srv1.xxx.biz /usr/bin/filebeat[1586]: transport.go:125: SSL client failed to connect with: dial tcp xxx.xxx.242.35:5044: getsockopt: connection refused
[root@srv1 ~]#

even i use insecure: true option in config file as bellow

filebeat:
prospectors:
-
paths:
- /var/log/secure
- /var/log/messages
# - /var/log/*.log

  input_type: log

  document_type: syslog

registry_file: /var/lib/filebeat/registry

output:
logstash:
hosts: ["xxx.xxx.242.35:5044"]
bulk_max_size: 1024

tls:
  #certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
  insecure: true

shipper:

logging:
files:
rotateeverybytes: 10485760 # = 10MB

i also follow this link

and test my connection with this command

curl -v --cacert logstash-forwarder.crt https://xxx.xxx.242.35:5044

on both Server and Client i got this error
Failed connect to xxx.xxx.242.35:5044; Connection refused

when i try to use telnet command from client server
telnet xxx.xxx.242.35 5044
I got this error
telnet: connect to address xxx.xxx.242.35: Connection refused

also when i check in my server sudo netstat -plnt
I see this output
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 4521/node
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4750/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 882/sshd
tcp6 0 0 :::111 :::* LISTEN 795/rpcbind
tcp6 0 0 ::1:9200 :::* LISTEN 4369/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 4369/java
tcp6 0 0 ::1:9300 :::* LISTEN 4369/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 4369/java
tcp6 0 0 :::22 :::* LISTEN 882/sshd

how can i fix this issue...
I try my best from 2 days but no Luck...
Thanks

There definitively seems to be an issue between with the connection between filebeat and LS. Which versions of Filebeat, Logstash, Elasticsearch are you using?

I strongly recommend you to follow the getting started here as it is up-to-date with all the recent changes: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html

Hello,

I have this error with my filebeat service status too. But when I edit my logstash configuration file, filebeat is working again. Could you check that and tell me if you have the same issue ?

Thanks.
Michael

Please properly format your posts (It's that unreadable, I just skimmed it). Use the </>-button for logs and configurations.

which Logstash and Filebeat version are you using? Do they match the blog-post versions? In 5.0 the SSL/TLS settings must use the ssl namespace, but you're using tls.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.