Filebeat error shipping logs => read: connection reset by peer (no TLS/SSL)

zokratez · March 21, 2017, 2:41pm

I searched in the other topics but cannot find the solution to my problem....

Scenary:
FileBeat 5.2.2.1
Filebeat-input-plugin 3.1.14
ELK 5.2

I have 4 server successfully sending logs to the logstash servers... I create a new server but it's imposible to make it work...

This is my config:

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/maillog
  document_type: maillog
- input_type: log
  paths:
    - /var/log/secure
  document_type: maillogin
- input_type: log
  paths:
    - /var/log/fail2ban.log
  document_type: fail2ban

output.elasticsearch:
   hosts: ["host1:5044", "host2:5044"]
   loadbalance: true

And I get the following errors...

2017-03-21T11:30:41-03:00 ERR Connect failed with: Get http://host1:5044: read tcp 10.73.1.25:49879->10.73.2.86:5044: read: connection reset by peer
2017-03-21T11:30:41-03:00 ERR Connect failed with: Get http://host2:5044: read tcp 10.73.1.25:35833->10.73.2.87:5044: read: connection reset by peer
2017-03-21T11:31:08-03:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.write_bytes=264 libbeat.es.publish.read_errors=2

While the others servers say:

2017-03-21T10:36:49-03:00 INFO Non-zero metrics in the last 30s: publish.events=193 libbeat.logstash.call_count.PublishEvents=6 libbeat.logstash.publish.write_bytes=12409 registrar.states.update=193 libbeat.logstash.publish.read_bytes=72 libbeat.logstash.published_and_acked_events=193 libbeat.publisher.published_events=193 registrar.writes=6

The configs are identical... All the servers are Centos 6 or 7.
I'm not using TLS/SSL.
There is no firewall rules or SELinux enabled.
The logstash server dont write any log about the "Cause of rejection".

What can I do?

zokratez · March 21, 2017, 2:44pm

In addition, this is the start service log in the server that doesnt work:

Starting filebeat: 2017/03/21 14:43:45.548574 beat.go:267: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017/03/21 14:43:45.548633 beat.go:177: INFO Setup Beat: filebeat; Version: 5.2.2
2017/03/21 14:43:45.548775 logp.go:219: INFO Metrics logging every 30s
2017/03/21 14:43:45.548985 output.go:167: INFO Loading template enabled. Reading template file: /etc/filebeat/filebeat.template.json
2017/03/21 14:43:45.549518 output.go:178: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: /etc/filebeat/filebeat.template-es2x.json
2017/03/21 14:43:45.549986 client.go:120: INFO Elasticsearch url: http://host1:5044
2017/03/21 14:43:45.550089 client.go:120: INFO Elasticsearch url: http://host2:5044
2017/03/21 14:43:45.550414 outputs.go:106: INFO Activated elasticsearch as output plugin.
2017/03/21 14:43:45.550646 publish.go:291: INFO Publisher name: mail01.cabib.local
2017/03/21 14:43:45.550852 async.go:63: INFO Flush Interval set to: 1s
2017/03/21 14:43:45.550869 async.go:64: INFO Max Bulk Size set to: 50
Config OK

And this is the service log on the working one:

Starting filebeat: 2017/03/21 14:46:17.113994 beat.go:267: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017/03/21 14:46:17.114085 beat.go:177: INFO Setup Beat: filebeat; Version: 5.2.2
2017/03/21 14:46:17.114264 logstash.go:90: INFO Max Retries set to: 3
2017/03/21 14:46:17.114845 logp.go:219: INFO Metrics logging every 30s
2017/03/21 14:46:17.114913 outputs.go:106: INFO Activated logstash as output plugin.
2017/03/21 14:46:17.115075 publish.go:291: INFO Publisher name: w5.cabib.local
2017/03/21 14:46:17.115811 async.go:63: INFO Flush Interval set to: 1s
2017/03/21 14:46:17.115837 async.go:64: INFO Max Bulk Size set to: 2048
Config OK

Much more resumed... Why are diferents if I have installed it from the same repository?

PD: I was tryed purge and reinstall.

andrewkroh · March 21, 2017, 4:00pm

How about changing output.elasticsearch to output.logstash?

zokratez · March 21, 2017, 5:28pm

Oh damm....

I'm so ashamed that I would delete this post ..

Sorry for make you waste time...

system · April 18, 2017, 5:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.