FB connection timed out

I am struggling so badly with this issue. I am trying to use filebeat to send logs to logstash and I get this kind of error:

2018-02-10T04:27:51.356+0100    INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":5550,"time":5554},"total":{"ticks":14330,"time":14334,"value":14330},"user":{"ticks":8780,"time":8780}},"info":{"ephemeral_id":"8fe71630-faed-4$
2018-02-10T04:28:21.355+0100    INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":5550,"time":5557},"total":{"ticks":14350,"time":14360,"value":14350},"user":{"ticks":8800,"time":8803}},"info":{"ephemeral_id":"8fe71630-faed-4$
2018-02-10T04:28:28.014+0100    ERROR   pipeline/output.go:74   Failed to connect: dial tcp getsockopt: connection timed out

I have 3 servers. One hosts ELS and LS, and two others are clients. One of the clients is sending logs correctly and another does not.
The difference between both clients is that the one working fine runs on Debian 9 whereas the failing one runs on Centos 7. LS and ELS are hosted on Debian 8

Filebeat config on both clients:

  # The Logstash hosts
 hosts: ["myserverip:5044"]

LS config:

input {
     beats {
       port => 5044
       ssl => false
       ssl_certificate => "/etc/ssl/logstash/logstash.crt"
       ssl_key => "/etc/ssl/logstash/logstash.key"

output {
  elasticsearch {
    hosts => localhost
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  stdout {
    codec => rubydebug

filter {
      grok {
        match => { "message" => "%{COMBINEDAPACHELOG}" }
      geoip {
         source => "clientip"

No SSL, all ELS, LS and FB are latest versions: 6.x

Any help?

As I could not find a solution, I removed LS and used FB and ELS directly. It seems to work just fine.

If you're still interested in figuring it out, can you try from the Filebeat machine:

filebeat test output

And give us the result?

1 Like

Thanks Tudor! I have abandoned LS for, and I noticed that I would have had to leave it anyway due to other applications that need to connect to ELS directly from remote.

Thanks again for your kind intervention.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.