Failed to publish events

pastperfect · July 28, 2017, 3:05pm

I have set up packetbeat on a single client workstation alongside winlogbeat. When running packetbeat it doesn't seem to send the data through to my logstash server. These are the errors I get:

ERR Failed to publish events caused by: read tcp 10.112.70.96:57164->10.112.7.76:5044: wsarecv: An existing connection was forcibly closed by the remote host.
ERR Connecting error publishing events (retrying): dial tcp 10.112.7.76:5044: connectex: No connection could be made because the target machine actively refused it.

Winlogbeat has started to show the same error l but its events seem to be written OK to elasticsearch.

This is my logstash config:

input {
beats {
port => 5044
}
}

filter {
if [event_id] > 0 {
translate{
dictionary => [
"4624", "Successful Logon",
"4625", "Failed Logon",
"4648", "A logon was attempted using explicit credentials",
"4720", "A user account was created",
"4722", "A user account was enabled",
"4723", "An attempt was made to change an account's password",
"4724", "An attempt was made to reset an accounts password",
"4725", "A user account was disabled",
"4726", "A user account was deleted",
"4738", "A user account was changed",
"4740", "A user account was locked out",
"4767", "A user account was unlocked",
"4781", "The name of an account was changed",
"4782", "The password hash an account was accessed"
]
field => "event_id"
destination => "Event_Translation"
}
}
}

output {
elasticsearch {
hosts => "ABZELK02:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM}"
document_type => "%{[@metadata][type]}"
}
}

Here is my Packetbeat config file:

packetbeat.interfaces.device: 1

packetbeat.flows:

timeout: 30s

period: 10s

packetbeat.protocols.icmp:
enabled: true

packetbeat.protocols.amqp:
ports: [5672]

packetbeat.protocols.cassandra:
ports: [9042]

packetbeat.protocols.dns:
ports: [53]

include_authorities: true
include_additionals: true

packetbeat.protocols.http:
ports: [80, 8080, 8000, 5000, 8002]

packetbeat.protocols.memcache:
ports: [11211]

packetbeat.protocols.mysql:
ports: [3306]

packetbeat.protocols.pgsql:
ports: [5432]

packetbeat.protocols.redis:
ports: [6379]

packetbeat.protocols.thrift:
ports: [9090]

packetbeat.protocols.mongodb:
ports: [27017]

packetbeat.protocols.nfs:
ports: [2049]

tags: ["PacketBeat-Test"]

output.logstash:

hosts: ["10.112.7.76:5044"]

andrewkroh · July 28, 2017, 4:08pm

Sounds like something is blocking the connection. Is there a firewall blocking the connection? Are you sure Logstash is running and listening (what does sudo netstat -anp | grep 5044 show on the Logstash side?).

pastperfect · July 31, 2017, 9:54am

Thanks for getting back to me.

The firewall was my first thought as well but if it was blocking it I wouldn't expect to see any of the winlogbeat stuff getting through. I'm running just a single ELK server on Server 2012 and couldn't see anything connecting on 5044 in netstat.

Here is a dump from netstat: https://pastebin.com/Q1Zexccw

andrewkroh · August 1, 2017, 1:09am

Are you sure Logstash is running? There should a listening socket on 5044 if Logstash is running.

pastperfect · August 1, 2017, 11:03am

Yeah 100% sure, I have events being logged with the logstash translate function:

andrewkroh · August 1, 2017, 12:53pm

If it's not listening on 5044 then I would double check that it's running the config file with the beats input defined and look through the Logstash logs to see if there are any issues.

system · August 29, 2017, 12:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.