Filebeat 7.10.1 and 7.11.0 not able to send the logs from windows servers to logstash and getting stuck at [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}

Patr123 · March 6, 2021, 2:03am

I installed filebeat v7.10.1 on a windows 2016 server. I am trying to send a log file from that server to logstash server and I am using the beats plugin to parse the data. When I am running the beats config file it getting stuck at [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
Then I tried the same test with v7.11 but it did not work.
Not sure what I am doing wrong here. Any help is appreciated.
Thank you.

This is how my filebeat.yml looks like:

filebeat.inputs:
- type: log
  enabled: true

  paths:
   # - /var/log/*.log
   - e:\test1\test2\path3\path4\access.todays_date.txt"

# filestream is an experimental input. It is going to replace log input in the future.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    # - /var/log/*.log
    # - c:\programdata\elasticsearch\logs\*

# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.1.5:5044"]
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: debug

myfilebeat.conf looks like this:

        beats {
            port => 5044
              }
    }
 output{
        stdout{codec => rubydebug}
          }

stephenb · March 6, 2021, 2:38am

Hi @Patr123 Welcome to the community

A couple things

Looks like you have some bad yaml.

  paths:
   # - /var/log/*.log
   - e:\test1\test2\path3\path4\access.todays_date.txt" <---- Extra "

If you look at the filebeat startup logs you I suspect you will see an error.

you can test that with

PS > .\filebeat.exe test config -c .\filebeat.yml

or even just run in the foreground and test

PS > .\filebeat.exe -c filebeat.yml -e -v -d "*"

Keep in mind that Filebeat will only read that test log file once so if you want to repeat the test you will need to clean out the registry in the filebeat data directory or add new content to the file.

Patr123 · March 6, 2021, 3:24am

Hello Stephenb,
Thank you for replying.

Removed the extra " at the:

paths:
   # - /var/log/*.log
   - e:\test1\test2\path3\path4\access.todays_date.txt

When I ran:
PS > .\filebeat.exe -c filebeat.yml -e -v -d "*"
I get this in loop:

2021-03-05T22:05:18.043-0500    INFO    [crawler]       beater/crawler.go:141   Starting input (ID: 10577157488803903860)
2021-03-05T22:05:18.044-0500    INFO    [crawler]       beater/crawler.go:108   Loading and starting Inputs completed. Enabled inputs: 1
2021-03-05T22:05:18.044-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T22:05:18.084-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 0, After: 0, Pending: 0
2021-03-05T22:05:28.094-0500    DEBUG   [input] input/input.go:139      Run input
2021-03-05T22:05:28.094-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T22:05:28.102-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 0, After: 0, Pending: 0
2021-03-05T22:05:38.104-0500    DEBUG   [input] input/input.go:139      Run input
2021-03-05T22:05:38.104-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T22:05:38.109-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 0, After: 0, Pending: 0

I did not clear the registry but added a new log file. Running the following command
/usr/share/logstash/bin/logstash -f myfilebeat.conf
got stuck at the same point:

[INFO ] 2021-03-06 03:14:54.321 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.92}
[INFO ] 2021-03-06 03:14:54.349 [[main]-pipeline-manager] beats - Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[INFO ] 2021-03-06 03:14:54.378 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2021-03-06 03:14:54.519 [[main]<beats] Server - Starting server on port: 5044
[INFO ] 2021-03-06 03:14:54.536 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2021-03-06 03:14:54.846 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}

stephenb · March 6, 2021, 3:33am

The Logstash looks fine it is just not getting an input.

You did not show the beginning of the filebeat logs ... It should show you what is trying to harvest, it does not look like it is harvesting any logs. Show the startup logs for filebeat from the beginning

Also you did not show where filebeat established the connection to Logstash

Patr123 · March 6, 2021, 5:16am

This is the output file from the top. I am dividing it into two parts as the character limit is 13000.
This time I cleared the log.json file contents from the /data/registry/filebeat folder and ran the command again. For some reason its not connecting to the logstash IP. From Windows server I can telnet to logstash IP on port 5044 so it can connect.

PS D:\filebeat-7.10.1-windows-x86_64> .\filebeat.exe -c filebeat.yml -e -v -d "*"
2021-03-05T23:56:03.401-0500    INFO    instance/beat.go:645    Home path: [D:\filebeat-7.10.1-windows-x86_64] Config path: [D:\filebeat-7.10.1-windows-x86_64] Data path: [D:\filebeat-7.10.1-windows-x86_64\data] Logs path: [D:\filebeat-7.10.1-windows-x86_64\logs]
2021-03-05T23:56:03.401-0500    DEBUG   [beat]  instance/beat.go:697    Beat metadata path: D:\filebeat-7.10.1-windows-x86_64\data\meta.json
2021-03-05T23:56:03.404-0500    INFO    instance/beat.go:653    Beat ID: 51ef803b-10bb-46e5-94b9-db6444fb4280
2021-03-05T23:56:03.404-0500    DEBUG   [seccomp]       seccomp/seccomp.go:96   Syscall filtering is only supported on Linux
2021-03-05T23:56:03.404-0500    INFO    [beat]  instance/beat.go:981    Beat info       {"system_info": {"beat": {"path": {"config": "D:\\filebeat-7.10.1-windows-x86_64", "data": "D:\\filebeat-7.10.1-windows-x86_64\\data", "home": "D:\\filebeat-7.10.1-windows-x86_64", "logs": "D:\\filebeat-7.10.1-windows-x86_64\\logs"}, "type": "filebeat", "uuid": "51ef803b-10bb-46e5-94b9-db6444fb4280"}}}
2021-03-05T23:56:03.405-0500    INFO    [beat]  instance/beat.go:990    Build info      {"system_info": {"build": {"commit": "1da173a9e716715a7a54bb3ff4db05b5c24fc8ce", "libbeat": "7.10.1", "time": "2020-12-04T23:27:16.000Z", "version": "7.10.1"}}}
2021-03-05T23:56:03.405-0500    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2021-03-05T23:56:03.409-0500    INFO    [beat]  instance/beat.go:997    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-01-20T12:59:14.53-05:00","name":"server1","ip":["1.2.3.4/23","::1/128","127.0.0.1/8"],"kernel_version":"10.0.14393.3750 (rs1_release.200601-1853)","mac":["00:50:56:a8:ab:15"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.3750"},"timezone":"EST","timezone_offset_sec":-18000,"id":"3e16b2f4-cd4c-44eb-b804-d39e87f42ab1"}}}
2021-03-05T23:56:03.409-0500    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"cwd": "D:\\filebeat-7.10.1-windows-x86_64", "exe": "D:\\filebeat-7.10.1-windows-x86_64\\filebeat.exe", "name": "filebeat.exe", "pid": 8964, "ppid": 14156, "start_time": "2021-03-05T23:56:03.223-0500"}}}
2021-03-05T23:56:03.409-0500    INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.1
2021-03-05T23:56:03.409-0500    DEBUG   [beat]  instance/beat.go:325    Initializing output plugins
2021-03-05T23:56:03.410-0500    DEBUG   [publisher]     pipeline/consumer.go:148        start pipeline event consumer
2021-03-05T23:56:03.410-0500    INFO    [publisher]     pipeline/module.go:113  Beat name: server1
2021-03-05T23:56:03.413-0500    WARN    beater/filebeat.go:178  Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2021-03-05T23:56:03.421-0500    INFO    instance/beat.go:455    filebeat start running.
2021-03-05T23:56:03.421-0500    DEBUG   [service]       service/service_windows.go:93   Windows is interactive: true
2021-03-05T23:56:03.421-0500    INFO    [monitoring]    log/log.go:118  Starting metrics logging every 30s
2021-03-05T23:56:03.421-0500    DEBUG   [test]  registrar/migrate.go:304        isFile(D:\filebeat-7.10.1-windows-x86_64\data\registry) -> false
2021-03-05T23:56:03.421-0500    DEBUG   [test]  registrar/migrate.go:304        isFile() -> false
2021-03-05T23:56:03.421-0500    DEBUG   [test]  registrar/migrate.go:297        isDir(D:\filebeat-7.10.1-windows-x86_64\data\registry\filebeat) -> true
2021-03-05T23:56:03.422-0500    DEBUG   [test]  registrar/migrate.go:304        isFile(D:\filebeat-7.10.1-windows-x86_64\data\registry\filebeat\meta.json) -> true
2021-03-05T23:56:03.422-0500    DEBUG   [registrar]     registrar/migrate.go:84 Registry type '1' found
2021-03-05T23:56:03.424-0500    INFO    memlog/store.go:119     Loading data file of 'D:\filebeat-7.10.1-windows-x86_64\data\registry\filebeat' succeeded. Active transaction id=0
2021-03-05T23:56:03.424-0500    INFO    memlog/store.go:124     Finished loading transaction log file for 'D:\filebeat-7.10.1-windows-x86_64\data\registry\filebeat'. Active transaction id=0
2021-03-05T23:56:03.425-0500    WARN    beater/filebeat.go:381  Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2021-03-05T23:56:03.425-0500    INFO    [registrar]     registrar/registrar.go:109      States Loaded from registrar: 0
2021-03-05T23:56:03.425-0500    INFO    [crawler]       beater/crawler.go:71    Loading Inputs: 2
2021-03-05T23:56:03.425-0500    DEBUG   [registrar]     registrar/registrar.go:140      Starting Registrar
2021-03-05T23:56:03.426-0500    DEBUG   [input] log/config.go:207       recursive glob enabled
2021-03-05T23:56:03.426-0500    DEBUG   [input] log/input.go:169        exclude_files: []. Number of states: 0
2021-03-05T23:56:03.426-0500    DEBUG   [input] log/input.go:199        input with previous states loaded: 0
2021-03-05T23:56:03.426-0500    INFO    log/input.go:157        Configured paths: [e:\test1\test2\path3\path4\access.todays_date.txt]
2021-03-05T23:56:03.426-0500    INFO    [crawler]       beater/crawler.go:141   Starting input (ID: 8157258142036696238)
2021-03-05T23:56:03.427-0500    INFO    [crawler]       beater/crawler.go:108   Loading and starting Inputs completed. Enabled inputs: 1
2021-03-05T23:56:03.427-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T23:56:03.430-0500    DEBUG   [input] log/input.go:439        Check file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.446-0500    DEBUG   [input] log/input.go:512        Start harvester for new file: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.448-0500    DEBUG   [harvester]     log/harvester.go:591    Setting offset for file based on seek: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.448-0500    DEBUG   [harvester]     log/harvester.go:577    Setting offset for file: e:\test1\test2\path3\path4\access.todays_date.txt. Offset: 0
2021-03-05T23:56:03.449-0500    DEBUG   [harvester]     log/harvester.go:652    newLogFileReader with config.MaxBytes: 10485760
2021-03-05T23:56:03.453-0500    DEBUG   [harvester]     log/harvester.go:207    Harvester setup successful. Line terminator: 1
2021-03-05T23:56:03.454-0500    DEBUG   [acker] beater/acker.go:59      stateful ack    {"count": 1}
2021-03-05T23:56:03.455-0500    DEBUG   [registrar]     registrar/registrar.go:264      Processing 1 events
2021-03-05T23:56:03.455-0500    DEBUG   [publisher]     pipeline/client.go:231  Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:0001-01-01 00:00:00 +0000 UTC Meta:null Fields:null Private:{Id:native::3342336-61559-1152169733 PrevId: Finished:false Fileinfo:0xc000153960 Source:e:\test1\test2\path3\path4\access.todays_date.txt Offset:0 Timestamp:2021-03-05 23:56:03.446578 -0500 EST m=+0.197010701 TTL:-1ns Type:log Meta:map[] FileStateOS:3342336-61559-1152169733 IdentifierName:native} TimeSeries:false}
2021-03-05T23:56:03.465-0500    DEBUG   [input] file/states.go:68       New state added for e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.466-0500    DEBUG   [harvester]     log/harvester.go:488    Update state: e:\test1\test2\path3\path4\access.todays_date.txt, offset: 0
2021-03-05T23:56:03.467-0500    DEBUG   [registrar]     registrar/registrar.go:231      Registrar state updates processed. Count: 1
2021-03-05T23:56:03.468-0500    DEBUG   [input] file/states.go:68       New state added for e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.469-0500    DEBUG   [registrar]     registrar/registrar.go:201      Registry file updated. 1 active states.
2021-03-05T23:56:03.470-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 1, After: 1, Pending: 0
2021-03-05T23:56:03.470-0500    INFO    log/harvester.go:302    Harvester started for file: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:56:03.474-0500    INFO    [detect_null_bytes]     debug/debug.go:95       Starting debug reader with a buffer size of 16384 and max failures of 100
2021-03-05T23:56:03.475-0500    DEBUG   [processors]    processing/processors.go:203    Publish event: {
  "@timestamp": "2021-03-06T04:56:03.475Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.10.1"
  },
  "host": {
    "name": "server1"
  },
  "agent": {
    "hostname": "server1",
    "ephemeral_id": "53409f34-db51-437e-9891-06015e6066bb",
    "id": "51ef803b-10bb-46e5-94b9-db6444fb4280",
    "name": "server1",
    "type": "filebeat",
    "version": "7.10.1"
  },
  "log": {
    "offset": 0,
    "file": {
      "path": "e:\test1\test2\path3\path4\access.todays_date.txt.txt"
    }
  },
  "message": "10.92.98.102 [05/Mar/2021:02:25:43 -0500] \"GET /notification/notification?store=307 HTTP/1.1\" 101 - \"okhttp/3.9.1\" \"-\"",
  "input": {
    "type": "log"
  },
  "ecs": {
    "version": "1.6.0"
  }
}
2021-03-05T23:56:03.503-0500    DEBUG   [processors]    processing/processors.go:203    Publish event: {
  "@timestamp": "2021-03-06T04:56:03.503Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.10.1"
  },
  "log": {
    "file": {
      "path": "e:\test1\test2\path3\path4\access.todays_date.txt.txt"
    },
    "offset": 120
  },
  "message": "10.100.54.60 [05/Mar/2021:02:26:09 -0500] \"GET /notification/notification?store=268 HTTP/1.1\" 101 - \"okhttp/3.9.1\" \"-\"",
  "input": {
    "type": "log"
  },
  "ecs": {
    "version": "1.6.0"
  },
  "host": {
    "name": "server1"
  },
  "agent": {
    "id": "51ef803b-10bb-46e5-94b9-db6444fb4280",
    "name": "server1",
    "type": "filebeat",
    "version": "7.10.1",
    "hostname": "server1",
    "ephemeral_id": "53409f34-db51-437e-9891-06015e6066bb"
  }
}

Patr123 · March 6, 2021, 5:18am

2021-03-05T23:57:13.002-0500    DEBUG   [input] input/input.go:139      Run input
2021-03-05T23:57:13.002-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T23:57:13.008-0500    DEBUG   [input] log/input.go:439        Check file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:13.009-0500    DEBUG   [input] log/input.go:530        Update existing file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt, offset: 495730
2021-03-05T23:57:13.009-0500    DEBUG   [input] log/input.go:582        Harvester for file is still running: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:13.009-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 1, After: 1, Pending: 0
2021-03-05T23:57:23.009-0500    DEBUG   [input] input/input.go:139      Run input
2021-03-05T23:57:23.009-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T23:57:23.015-0500    DEBUG   [input] log/input.go:439        Check file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:23.016-0500    DEBUG   [input] log/input.go:530        Update existing file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt, offset: 495730
2021-03-05T23:57:23.016-0500    DEBUG   [input] log/input.go:582        Harvester for file is still running: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:23.016-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 1, After: 1, Pending: 0
2021-03-05T23:57:26.742-0500    ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://192.168.1.5:5044)): dial tcp 192.168.1.5:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2021-03-05T23:57:26.742-0500    INFO    [publisher_pipeline_output]     pipeline/output.go:145  Attempting to reconnect to backoff(async(tcp://192.168.1.5:5044)) with 1 reconnect attempt(s)
2021-03-05T23:57:26.742-0500    INFO    [publisher]     pipeline/retry.go:219   retryer: send unwait signal to consumer
2021-03-05T23:57:26.749-0500    DEBUG   [logstash]      logstash/async.go:120   connect
2021-03-05T23:57:26.749-0500    INFO    [publisher]     pipeline/retry.go:223     done
2021-03-05T23:57:32.774-0500    INFO    [monitoring]    log/log.go:145  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":359,"time":{"ms":359}},"total":{"ticks":952,"time":{"ms":952},"value":952},"user":{"ticks":593,"time":{"ms":593}}},"handles":{"open":224},"info":{"ephemeral_id":"cf4eafc2-d7e8-4a21-80e3-06eb6a759216","uptime":{"ms":30171}},"memstats":{"gc_next":29812112,"memory_alloc":19798352,"memory_total":110652672,"rss":62140416},"runtime":{"goroutines":31}},"filebeat":{"events":{"active":4117,"added":4118,"done":1},"harvester":{"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":4117,"filtered":1,"published":4116,"retry":585,"total":4118}}},"registrar":{"states":{"current":1,"update":1},"writes":{"success":1,"total":1}},"system":{"cpu":{"cores":4}}}}}
2021-03-05T23:57:33.018-0500    DEBUG   [input] input/input.go:139      Run input
2021-03-05T23:57:33.018-0500    DEBUG   [input] log/input.go:205        Start next scan
2021-03-05T23:57:33.024-0500    DEBUG   [input] log/input.go:439        Check file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:33.025-0500    DEBUG   [input] log/input.go:530        Update existing file for harvesting: e:\test1\test2\path3\path4\access.todays_date.txt, offset: 495730
2021-03-05T23:57:33.025-0500    DEBUG   [input] log/input.go:582        Harvester for file is still running: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:33.025-0500    DEBUG   [input] log/input.go:226        input states cleaned up. Before: 1, After: 1, Pending: 0
2021-03-05T23:57:38.722-0500    DEBUG   [service]       service/service.go:65   Received svc stop/shutdown request
2021-03-05T23:57:38.722-0500    INFO    beater/filebeat.go:515  Stopping filebeat
2021-03-05T23:57:38.722-0500    DEBUG   [service]       service/service.go:54   Received sigterm/sigint, stopping
2021-03-05T23:57:38.729-0500    INFO    beater/crawler.go:148   Stopping Crawler
2021-03-05T23:57:38.729-0500    INFO    beater/crawler.go:158   Stopping 1 inputs
2021-03-05T23:57:38.729-0500    INFO    [crawler]       beater/crawler.go:163   Stopping input: 8157258142036696238
2021-03-05T23:57:38.729-0500    INFO    input/input.go:136      input ticker stopped
2021-03-05T23:57:38.729-0500    DEBUG   [harvester]     log/harvester.go:612    Stopping harvester for file: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:38.730-0500    DEBUG   [harvester]     log/harvester.go:622    Closing file: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:38.730-0500    DEBUG   [harvester]     log/harvester.go:488    Update state: e:\test1\test2\path3\path4\access.todays_date.txt, offset: 495730
2021-03-05T23:57:38.730-0500    DEBUG   [harvester]     log/harvester.go:633    harvester cleanup finished for file: e:\test1\test2\path3\path4\access.todays_date.txt
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:158  client: closing acker
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:163  client: done closing acker
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:165  client: unlink from queue
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:187  client: cancelled 0 events
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:167  client: done unlink
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:170  client: closing processors
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:241  Pipeline client receives callback 'onDroppedOnPublish' for event: {Timestamp:2021-03-05 23:57:09.0258765 -0500 EST m=+6.455366601 Meta:null Fields:{"agent":{"ephemeral_id":"cf4eafc2-d7e8-4a21-80e3-06eb6a759216","hostname":"server1","id":"51ef803b-10bb-46e5-94b9-db6444fb4280","name":"server1","type":"filebeat","version":"7.10.1"},"ecs":{"version":"1.6.0"},"host":{"name":"server1"},"input":{"type":"log"},"log":{"file":{"path":"e:\test1\test2\path3\path4\access.todays_date.txt.txt"},"offset":495609},"message":"10.216.94.34 [05/Mar/2021:09:23:16 -0500] \"GET /notification/notification?store=3037 HTTP/1.1\" 101 - \"okhttp/3.9.1\" \"-\""} Private:{Id:native::3342336-61559-1152169733 PrevId: Finished:false Fileinfo:0xc00012c0e0 Source:e:\test1\test2\path3\path4\access.todays_date.txt Offset:495730 Timestamp:2021-03-05 23:57:02.9304002 -0500 EST m=+0.360010001 TTL:-1ns Type:log Meta:map[] FileStateOS:3342336-61559-1152169733 IdentifierName:native} TimeSeries:false}
2021-03-05T23:57:38.730-0500    DEBUG   [publisher]     pipeline/client.go:175  client: done closing processors
2021-03-05T23:57:38.731-0500    INFO    beater/crawler.go:178   Crawler stopped
2021-03-05T23:57:38.731-0500    INFO    [registrar]     registrar/registrar.go:132      Stopping Registrar
2021-03-05T23:57:38.731-0500    INFO    [registrar]     registrar/registrar.go:166      Ending Registrar
2021-03-05T23:57:38.731-0500    DEBUG   [registrar]     registrar/registrar.go:167      Stopping Registrar
2021-03-05T23:57:38.731-0500    INFO    [registrar]     registrar/registrar.go:137      Registrar stopped
2021-03-05T23:57:38.734-0500    INFO    [monitoring]    log/log.go:153  Total non-zero metrics  {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":359,"time":{"ms":359}},"total":{"ticks":952,"time":{"ms":952},"value":952},"user":{"ticks":593,"time":{"ms":593}}},"handles":{"open":222},"info":{"ephemeral_id":"cf4eafc2-d7e8-4a21-80e3-06eb6a759216","uptime":{"ms":36129}},"memstats":{"gc_next":29812112,"memory_alloc":19933760,"memory_total":110788080,"rss":62275584},"runtime":{"goroutines":14}},"filebeat":{"events":{"active":4116,"added":4118,"done":2},"harvester":{"closed":1,"open_files":0,"running":0,"started":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":0,"events":{"active":4116,"failed":1,"filtered":1,"published":4116,"retry":585,"total":4118}}},"registrar":{"states":{"current":1,"update":1},"writes":{"success":1,"total":1}},"system":{"cpu":{"cores":4}}}}}
2021-03-05T23:57:38.734-0500    INFO    [monitoring]    log/log.go:154  Uptime: 36.1304821s
2021-03-05T23:57:38.734-0500    INFO    [monitoring]    log/log.go:131  Stopping metrics logging.
2021-03-05T23:57:38.735-0500    INFO    instance/beat.go:461    filebeat stopped.
PS D:\filebeat-7.10.1-windows-x86_64>

stephenb · March 6, 2021, 5:42am

Ok from here on out we can run we will see enough. It show the connection.

.\filebeat.exe -c filebeat.yml -e
EDIT fixed command

Yup it's not connecting to Logstash. Are you running the telnet as the same user you are running Filebeat?

And with telnet is accepted the connection?

Patr123 · March 6, 2021, 6:17am

cannot run
filebeat.exe -c filebeat.yml -e
and had to run it as
.\filebeat.exe -c filebeat.yml -e
This gave me a similar output and says cannot connect to logstash output.
I am running the telnet command as the same user as that of Filebeat.
Just for giggles, I ran the telnet command again and it failed. I know it was working before.
Let me check what changed and/or open the needed ports and run the test again. I'll keep you posted.

Patr123 · March 11, 2021, 3:06am

I opened the needed ports and it started working. Thank you for helping me on this.

Topic		Replies	Views
Unable to send logs using Filebeat to Logstash Beats filebeat	12	913	March 22, 2023
Filebeat not sending logs to logstash (port 5044 ) Beats filebeat	18	3396	March 19, 2021
Not sending logs to logstash Beats filebeat	18	2624	February 15, 2018
Sending logs from Filebeat(windows) to Logstash(Linux) Logstash	3	425	June 21, 2023
Filebeat is not sending logs to logstash Logstash	11	12416	July 6, 2017

Filebeat 7.10.1 and 7.11.0 not able to send the logs from windows servers to logstash and getting stuck at [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}

Related topics