[Filebeat IIS] lumberjack protocol error

Elastic Stack Beats
1

Hello all,

I have filebeat installed on two windows 2008R2 servers with IIS 7.5.
My filebeat log file is polluted by this kind of entries:

 |INFO|log/input.go:138|Configured paths: [C:\inetpub\logs\LogFiles\*\*.log]|
 |---|---|---|
 |INFO|input/input.go:114|Starting input of type: log; ID: 16099378564317141154 |
 |INFO|log/harvester.go:255|Harvester started for file: C:\inetpub\logs\LogFiles\W3SVC\u_ex190403.log|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: read tcp 10.0.143.10:54851-logstash_server:5044: wsarecv: An existing connection was forcibly closed by the remote host.|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: lumberjack protocol error|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: lumberjack protocol error|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|

What I don't understand is :

  • Why is the harvester started for one logfile?
  • Why is the client in NOT CONNECTED while the connection to backend is established?

Thanks all for your help!

1 Like
2

Are you facing the issue right after the udpdate? As that is the case for me. :disappointed_relieved: no solution yet!

3

Hello,

No issue is solved, I had two logstash conf that used the same port (5044).
Once i removed one of the conf, everything went back to normal.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.