Filebeat 5.x can't send logs to Logstash (SSL and EOF)

I Have filebeat on one server and logstash on another server. I checked the certificates and they are correct. also logstash is running on 5044. but filebeat can't send anything and this is the log:

2016-10-17T14:50:09-04:00 INFO No non-zero metrics in the last 30s
2016-10-17T14:50:12-04:00 ERR Failed to publish events caused by: EOF
2016-10-17T14:50:12-04:00 INFO Error publishing events (retrying): EOF
2016-10-17T14:50:39-04:00 INFO Non-zero metrics in the last 30s:     libbeat.logstash.publish.write_bytes=253     libbeat.logstash.call_count.PublishEvents=1  libbeat.logstash.publish.read_errors=1 libbeat.logstash.published_but_not_acked_events=2045

what should i do?

Have you done this test with curl from the Filebeat host? What was the output?

Please share the configuration for Logstash and Filebeat. What OSes? What versions?

this is filebeat.yml

  output:
  logstash:
   enabled: true
hosts: ["<ip>:5044"]
worker: 1
tls:
  certificate_authorities: ["/etc/pki/tls/certs/logstash-beats.crt"]
  certificate: ["/etc/pki/tls/certs/logstash-beats.crt"]
  certificate_key: ["/etc/pki/tls/private/logstash-beats.keys"]

timeout: 15

 filebeat:
 prospectors:
-
  paths:
    - /var/log/secure
  document_type: syslog
-
  paths:
    - "/var/log/nginx/*.log"
  document_type: nginx-access

yes i'v done the test and output is :

 * About to connect() to <ip> port 5044 (#0)
*   Trying <ip>...
* Connected to <ip> (<ip>) port 5044 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <ip>:5044
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host <ip> left intact
curl: (52) Empty reply from server

and this is my logstash config for beats input:

input{
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
    ssl_key => "/etc/pki/tls/private/logstash-beats.key"
  }
}

filebeat is filebeat-5.0.0-rc1-x86_64
logstash is 2.4
filebeat is running on centos 7
and logstash on docker container

Can you please format your config with three backticks (`). (Example: http://oi66.tinypic.com/eu1zph.jpg)

What is your Logstash config?

It looks like the indentation of your config is wrong. It should look like:

output:
  logstash:
    enabled: true
    hosts: ["<ip>:5044"]
    worker: 1
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-beats.crt"]
      # You haven't enable client authentication in Logstash so these aren't needed.
      #certificate: ["/etc/pki/tls/certs/logstash-beats.crt"]
      #certificate_key: ["/etc/pki/tls/private/logstash-beats.keys"]

I change the config and remove those 2 lines, i still have the problem. everything looks fine but it doesn't work.

Since filebeat 5.0-beta1 the SSL/TLS settings have been changed to be more in line with other projects in the elastic stack. The tls section has been renamed to ssl for example.

3 Likes

I changed tls to ssl and create a new certificate and now it's ok.
thanks.

This topic was automatically closed after 21 days. New replies are no longer allowed.