Filebeat 5.x can't send logs to Logstash (SSL and EOF)

Mohammad_Mahzoun · October 17, 2016, 6:53pm

I Have filebeat on one server and logstash on another server. I checked the certificates and they are correct. also logstash is running on 5044. but filebeat can't send anything and this is the log:

2016-10-17T14:50:09-04:00 INFO No non-zero metrics in the last 30s
2016-10-17T14:50:12-04:00 ERR Failed to publish events caused by: EOF
2016-10-17T14:50:12-04:00 INFO Error publishing events (retrying): EOF
2016-10-17T14:50:39-04:00 INFO Non-zero metrics in the last 30s:     libbeat.logstash.publish.write_bytes=253     libbeat.logstash.call_count.PublishEvents=1  libbeat.logstash.publish.read_errors=1 libbeat.logstash.published_but_not_acked_events=2045

what should i do?

andrewkroh · October 17, 2016, 6:56pm

Have you done this test with curl from the Filebeat host? What was the output?

Please share the configuration for Logstash and Filebeat. What OSes? What versions?

Mohammad_Mahzoun · October 17, 2016, 7:17pm

this is filebeat.yml

  output:
  logstash:
   enabled: true
hosts: ["<ip>:5044"]
worker: 1
tls:
  certificate_authorities: ["/etc/pki/tls/certs/logstash-beats.crt"]
  certificate: ["/etc/pki/tls/certs/logstash-beats.crt"]
  certificate_key: ["/etc/pki/tls/private/logstash-beats.keys"]

timeout: 15

 filebeat:
 prospectors:
-
  paths:
    - /var/log/secure
  document_type: syslog
-
  paths:
    - "/var/log/nginx/*.log"
  document_type: nginx-access

yes i'v done the test and output is :

 * About to connect() to <ip> port 5044 (#0)
*   Trying <ip>...
* Connected to <ip> (<ip>) port 5044 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <ip>:5044
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host <ip> left intact
curl: (52) Empty reply from server

and this is my logstash config for beats input:

input{
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
    ssl_key => "/etc/pki/tls/private/logstash-beats.key"
  }
}

Mohammad_Mahzoun · October 17, 2016, 7:20pm

filebeat is filebeat-5.0.0-rc1-x86_64
logstash is 2.4
filebeat is running on centos 7
and logstash on docker container

andrewkroh · October 17, 2016, 7:28pm

Can you please format your config with three backticks (`). (Example: http://oi66.tinypic.com/eu1zph.jpg)

What is your Logstash config?

andrewkroh · October 18, 2016, 1:26am

It looks like the indentation of your config is wrong. It should look like:

output:
  logstash:
    enabled: true
    hosts: ["<ip>:5044"]
    worker: 1
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-beats.crt"]
      # You haven't enable client authentication in Logstash so these aren't needed.
      #certificate: ["/etc/pki/tls/certs/logstash-beats.crt"]
      #certificate_key: ["/etc/pki/tls/private/logstash-beats.keys"]

Mohammad_Mahzoun · October 18, 2016, 8:45am

I change the config and remove those 2 lines, i still have the problem. everything looks fine but it doesn't work.

steffens · October 18, 2016, 10:50am

Since filebeat 5.0-beta1 the SSL/TLS settings have been changed to be more in line with other projects in the elastic stack. The tls section has been renamed to ssl for example.

Mohammad_Mahzoun · October 18, 2016, 1:27pm

I changed tls to ssl and create a new certificate and now it's ok.
thanks.

system · November 7, 2016, 6:53pm

This topic was automatically closed after 21 days. New replies are no longer allowed.