Failed to perform any bulk index operations: Post "http://my_elastic_ip/_bulk": EOF

ElasticLiver · January 22, 2024, 10:16pm

Hi, Im getting this errors in filebeat

Jan 22 18:56:38 proxy-120 filebeat[15099]: 2024-01-22T18:56:38.420-0300        ERROR        [elasticsearch]        elasticsearch/client.go:226        failed to perform any bulk index operations: Post "http://my_elastic_ip:9200/_bulk": EOF
Jan 22 18:56:38 proxy-120 filebeat[15099]: 2024-01-22T18:56:38.420-0300        INFO        [publisher]        pipeline/retry.go:219        retryer: send unwait signal to consumer
Jan 22 18:56:38 proxy-120 filebeat[15099]: 2024-01-22T18:56:38.420-0300        INFO        [publisher]        pipeline/retry.go:223          done
Jan 22 18:56:40 proxy-120 filebeat[15099]: 2024-01-22T18:56:40.331-0300        ERROR        [publisher_pipeline_output]        pipeline/output.go:180        failed to publish events: Post "http://my_elastic_ip:9200/_bulk": EOF

-no firewall , no selinux in the machines
-I can curl to elastic, create index via curl, bulk indexing via curl from the filebeat machine
-test data arriving filebeat with stdout ouput

this is my conf in filebeat.yml

filebeat.inputs:
- type: filestream
  enabled: false
  paths:
    - /var/log/*.log

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

output.elasticsearch:
  hosts: ["my_elastic_ip:9200"]
  username: "elastic"
  password: "my_pass"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded

netflow module:

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow_port: 2055

      internal_networks:
        - private

Any ideas?
thanks!

strawgate · January 22, 2024, 11:20pm

I've seen this behavior before when the bulk request is interrupted. EOF means the network socket was closed prematurely, when it was expecting more data.

Do you have a network firewall or proxy between the device and the elasticsearch node?

It looks like you're not using https, you should be able to capture a tcpdump and see if it's the client or server closing the connection prematurely.

Can you attempt to do a large _bulk request from the client to the server?

ElasticLiver · January 23, 2024, 4:16pm

Hi, It was a networking problem, your answer help us to reach te solution, thanks!

system · February 20, 2024, 6:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
File Beat to Elasticsearch unable to publish Events Beats filebeat	8	310	March 26, 2024
Beats error: POST _bulk EOF after upgrade from 6.5.4 to 7.2.0 Beats	1	1136	July 28, 2019
Connection error between filebeat server and elasticsearch server: EOF error Beats filebeat	7	6026	July 16, 2018
Filebeat failed to publish events: temporary bulk send failure Beats docker , filebeat	2	839	December 5, 2021
Pipeline/output.go:121 Failed to publish events: temporary bulk send failure Beats filebeat	1	1795	May 8, 2019

Failed to perform any bulk index operations: Post "http://my_elastic_ip/_bulk": EOF

Related topics