Filebeat - first setup

sliddjur · November 6, 2016, 10:22pm

Hello, Im trying to setup my first test site.

This is my filebeat.yml
filebeat.prospectors:
- input_type: log
    - /var/log/*.log
    - /var/log/auth.log
output.logstash:
  # The Logstash hosts
  hosts: ["172.23.253.24:5043"]

my logstash config:
/etc/logstash/conf.d$ cat first.conf
input {
beats {
port => "5043"
}
}
output {
elasticsearch {
hosts => ["172.23.253.23:9200"]
protocol => "http"
}
}

My /var/log/filebeat/filebeat logfile:

2016-11-06T23:14:28+01:00 INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2016-11-06T23:14:28+01:00 INFO Start sending events to output
2016-11-06T23:14:33+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:14:34+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:14:36+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:14:40+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:14:48+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:14:58+01:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.running=1 libbeat.publisher.published_events=10 filebeat.harvester.started=1 filebeat.harvester.open_files=1
2016-11-06T23:15:04+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:15:28+01:00 INFO No non-zero metrics in the last 30s
2016-11-06T23:15:36+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:15:58+01:00 INFO No non-zero metrics in the last 30s
2016-11-06T23:16:28+01:00 INFO No non-zero metrics in the last 30s
2016-11-06T23:16:36+01:00 ERR Connecting error publishing events (retrying): dial tcp 172.23.253.24:5043: getsockopt: connection refused
2016-11-06T23:16:58+01:00 INFO No non-zero metrics in the last 30s

On logstash server I have also installed ./logstash-plugin install logstash-input-beats

I am running
ubuntu 16.04.1
logstash 5
filebeat 5
installed from repository

magnusbaeck · November 7, 2016, 6:38am

It looks like Logstash on 172.23.253.24 isn't actually listening on port 5043 (check with netstat), or maybe the port is blocked by a firewall.

sliddjur · November 7, 2016, 7:19am

yes I checked its open
olof@80003v-app002:/etc/filebeat$ netcat -z -v 172.23.253.24 5043
Connection to 172.23.253.24 5043 port [tcp/*] succeeded!

sliddjur · November 7, 2016, 9:28am

Restarted both services.

on logstash:

@80003v-app004:/etc/logstash/conf.d# netstat -ln | grep 5043
tcp6       0      0 :::5043                 :::*                    LISTEN

filebeat logfile

2016-11-07T10:20:29+01:00 INFO Starting prospector of type: log
2016-11-07T10:20:29+01:00 INFO Harvester started for file: /var/log/kern.log
2016-11-07T10:20:29+01:00 INFO Start sending events to output
2016-11-07T10:20:29+01:00 INFO Starting Registrar
2016-11-07T10:20:29+01:00 INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2016-11-07T10:20:29+01:00 INFO Harvester started for file: /var/log/vsftpd.log
2016-11-07T10:20:29+01:00 INFO Harvester started for file: /var/log/auth.log
2016-11-07T10:20:59+01:00 INFO Non-zero metrics in the last 30s: publish.events=43 registrar.writes=1 filebeat.harvester.running=3 libbeat.logstash.publish.read_bytes=18 libbeat.logstash.published_and_acked_events=32 libbeat.publisher.published_events=32 filebeat.harvester.started=3 filebeat.harvester.open_files=3 libbeat.logstash.publish.write_bytes=1882 registar.states.current=11 libbeat.logstash.call_count.PublishEvents=1 registrar.states.update=43
2016-11-07T10:20:59+01:00 ERR Failed to publish events caused by: EOF
2016-11-07T10:20:59+01:00 INFO Error publishing events (retrying): EOF
2016-11-07T10:21:29+01:00 INFO Non-zero metrics in the last 30s: registrar.states.update=22 libbeat.logstash.publish.read_bytes=24 libbeat.logstash.publish.read_errors=1 publish.events=22 libbeat.logstash.published_and_acked_events=22 libbeat.logstash.published_but_not_acked_events=11 libbeat.publisher.published_events=22 registrar.writes=4 libbeat.logstash.call_count.PublishEvents=5 libbeat.logstash.publish.write_bytes=2671
2016-11-07T10:21:59+01:00 INFO No non-zero metrics in the last 30s
2016-11-07T10:22:29+01:00 INFO No non-zero metrics in the last 30s
2016-11-07T10:22:59+01:00 INFO No non-zero metrics in the last 30s
2016-11-07T10:23:14+01:00 ERR Failed to publish events caused by: EOF
2016-11-07T10:23:14+01:00 INFO Error publishing events (retrying): EOF

system · December 5, 2016, 9:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.