Filebeat and logstash not communicating


(Elastic-for-me) #1

I have simplest configuration

I have follwoing on system where log is being shipped from
cat filebeat.yml |grep -v '#' |sed '/^$/d'
filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /tmp/sensors*.log
      scan_frequency: 10s
      filebeat.config.modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
      output.logstash:
      hosts: ["elktst01:5044"]
      console:
      pretty: true
      logging.level: debug

I have following on logstash config file.
cat beats.conf |grep -v '#' | sed '/^$/d'
input {
beats {
port => "5044"
}
}

filter {
}

output {
stdout { codec => rubydebug }
}

But nothing is showing up on logstash output.
no output at all.

filebeat says it is harvesting file. but nothing on other side

Both machines are in in same network, both on linux system. no one has firewall setup.
I know I must be missing some tiny stuff somewhere.

This is not working from week now.

I can telnet elktst01 5044 from system where filebeat is running


#2

Your configuration is unreadable. Please edit your post, select the text of the configuration and click on </> in the toolbar above the editing pane.


(Elastic-for-me) #3
indent preformatted text by 4 spaces

(Elastic-for-me) #4

is it now readable?


#5

No. Looks like you quoted it rather than using blockquote (i.e. </>).


(Elastic-for-me) #6

Blockquote
cat filebeat.yml |grep -v '#' |sed '/^$/d'
filebeat.inputs:

-type: log
enabled: true
paths:

  • /tmp/sensors*.log
    scan_frequency: 10s
    filebeat.config.modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false
    output.logstash:
    hosts: ["elktst01:5044"]
    console:
    pretty: true
    logging.level: debug

I have following on logstash config file.
cat beats.conf |grep -v '#' | sed '/^$/d'
input {
beats {
port => "5044"
}
}

filter {
}

output {
stdout { codec => rubydebug }
}


(Elastic-for-me) #7

ok used blockquote. lets see if you can read. it. Since day one I have not figure out how to cut paste with proper formatting on this site.


(Elastic-for-me) #8

I don't like output on logstash server
Starting input listener {:address=>"0.0.0.0:5044"}

why it is starting tcp port on 0.0.0.0 I need that on ip address. may be that is the problem here


(Paul Janzen) #9

Your config is saying "listen to all available ips"

input {
    beats {
        port => "5044"
    }
}

If you add the host parameter you can specify an ip.

input {
    beats {
        host => "<you logstash host ip address>"
        port => "5044"
    }
}

after restarting logstash, you will see listening on the specified ip.

Paul.


(Elastic-for-me) #10

perefect now it is working.

basically I had to do two thing. add host => "hostname" in to logstash conf file
and add IP address in to filebeat.yml

netstat -pan |grep LISTEN |grep 5044 ( now shows up ip_addr:5044)

now I am getting my file transfer over.

Thank you all.


#11

I have seen programs that use 0.0.0.0 to mean "all available IPs that are not part of reserved CIDR blocks". I.e., it would not listen on an address in 192.168/16.


(system) closed #12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.