Filebeat: Connection to Logstash fails, then immediately tries backoff and that works


Hi guys,

I have a dockerized Filebeat 6.5.1 instance that monitors my docker containers using the docker input.

Basically every time a log line is found by Filebeat, I get a Failed to publish events / connection reset by peer", but then it apparently connects again immediately, and then it works, so it cannot really be a firewall issue, can it?

(Also, pinging the Logstash server from inside the Filebeat container works fine, and netstat tells me that Logstash does listen on port 5045. Firewall is open - also, in the 2nd try it succeeds, to it cannot be the firewall, I guess).

{"level":"info","timestamp":"2018-11-30T14:01:27.096Z","caller":"log/harvester.go:254","message":"Harvester started for file: /var/lib/docker/containers/8d94925c6fe48467db3d/8d94925c6fe48467db3df-json.log"}
{"level":"error","timestamp":"2018-11-30T14:01:28.106Z","caller":"logstash/async.go:256","message":"Failed to publish events caused by: write tcp>123.456.12.14:5045: write: connection reset by peer"}
{"level":"error","timestamp":"2018-11-30T14:01:29.107Z","caller":"pipeline/output.go:121","message":"Failed to publish events: write tcp>123.456.12.14:5045: write: connection reset by peer"}
{"level":"info","timestamp":"2018-11-30T14:01:29.108Z","caller":"pipeline/output.go:95","message":"Connecting to backoff(async(tcp://"}
{"level":"info","timestamp":"2018-11-30T14:01:29.119Z","caller":"pipeline/output.go:105","message":"Connection to backoff(async(tcp:// established"}

Interesting, for the first try it prints the IP of the logstash server, the second time it prints the host name - could that have to do with IPv4/IPv6 issues?

I find this weird and would be grateful about any hints! As far as I can see the logs always get sent in the 2nd try, but this behaviour is probably not how it should be, right?



This is my docker-compose:

version: "3.3"

    user: root
      - ./filebeat.yml:/usr/share/filebeat/filebeat.yml
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/:/var/lib/docker:ro
      - ./logs/:/usr/share/filebeat/logs/
    entrypoint: "/usr/local/bin/docker-entrypoint" # to enable logging to file
    command: "-E FOO=BAR" # to overwrite the -e that disables logging to file!

This is my filebeat.yml:

  - type: docker
    containers.ids: '*'
    ignore_older: 1h
    enabled: true
    - add_docker_metadata: ~

    hosts: [""]
    timeout: 240s
    enabled: true
    enabled: false # otherwise they get printed to stdout and get picked up via docker again - eternal circle!

(Steffen Siering) #2

Also check logstash settings and logs. Logstash also times out idle connections.

(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.