"Failed to connect" error

Elastic Stack Beats
1

Hello!
I've used ELK stack with filebeat on docker. There are my config file.
elasticsearch.yml:

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0

kibana.yml:

server.port: 5601
server.host: "127.0.0.1"
xpack.security.enabled: false
xpack.reporting.encryptionKey: "smth"
elasticsearch.username: "user1"
elasticsearch.password: "smth"

logstashpipeline.yml:

input {
  beats {
    port => [5044]
  }
}
output {
  elasticsearch {
    hosts => "127.0.0.1:9200"
    index => "docker-one"
    manage_template => false
  }
}

filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /testvar/*log
    - /testvar/**/*log

output.elasticsearch:
  hosts: ["127.0.0.1:9200"]

setup.kibana:
  host: "127.0.0.1:5601"

When I' ve run docker by command

docker run -it --user=root -v /dockerfilebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml -v /var/log:/testvar docker.elastic.co/beats/filebeat:6.3.1

I've got errors like:

2018-08-13T13:33:04.376Z	ERROR	pipeline/output.go:74	Failed to connect: dial tcp 127.0.0.1:5044: getsockopt: connection refused

How can I escape this problem?

2

What is your full setup with all config files and debug logs? In your filebeat.yml I can see that you are sending events to Elasticsearch. However, in your Logstash config you are expecting events from Beats. Also, the error message you shared says that you are trying to connect to port 5044 which is the "default Logstash" port. But I can't see anything about sending events to Logstash in your Beats config. Are you sure these are the config files you are actually running?

3

I've made a mistake. Actually my filebeat.yml is same exept output:

output.logstash:
  hosts: ["127.0.0.1:5044"]
4

Are you sure Logstash is running and reachable by Filebeat? Have you checked these contitions? https://www.elastic.co/guide/en/beats/filebeat/current/faq.html#connection-problem

5

I've just checked my ports:

root@user-VirtualBox:~# telnet 127.0.0.1 5044
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

Situation is same for 5601(Kibana) and 9200 (ElasticSearch)

6

Could you share the debug logs of Logstash and Beats?

8

Are ES, LS and FB in the same Docker image? If not have you exposed the correct ports?

9

No, ES and LS installed on the Ubuntu 16.04 on virtual machine. And Docker started by docker image. I don't expose any ports for this image.

10

Could you tell me more about the setup? Are LS and ES on the same VM? Is Filebeat hosted on a separate VM?

11

Of course. LS and ES work on the same VM. On that machine I starting Docker image of FB.

12

Have you configured the networking of the container to make sure you can reach the localhost of the host machine? To me it seems like a Docker issue, not ELKB problem.

After searching on the internet, I discovered this question on SO: https://stackoverflow.com/questions/24319662/from-inside-of-a-docker-container-how-do-i-connect-to-the-localhost-of-the-mach According to the solution here, you need to add --net=host to the docker command you run. This lets your container to connect to the host's localhost.

1 Like
13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.