[Filebeat IIS] lumberjack protocol error

nyarlath · April 3, 2019, 1:37pm

Hello all,

I have filebeat installed on two windows 2008R2 servers with IIS 7.5.
My filebeat log file is polluted by this kind of entries:

 |INFO|log/input.go:138|Configured paths: [C:\inetpub\logs\LogFiles\*\*.log]|
 |---|---|---|
 |INFO|input/input.go:114|Starting input of type: log; ID: 16099378564317141154 |
 |INFO|log/harvester.go:255|Harvester started for file: C:\inetpub\logs\LogFiles\W3SVC\u_ex190403.log|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: read tcp 10.0.143.10:54851-logstash_server:5044: wsarecv: An existing connection was forcibly closed by the remote host.|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: lumberjack protocol error|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|
 |INFO|pipeline/output.go:95|Connecting to backoff(async(tcp://logstash_server:5044))|
 |INFO|pipeline/output.go:105|Connection to backoff(async(tcp://logstash_server:5044)) established|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: lumberjack protocol error|
 |ERROR|logstash/async.go:256|Failed to publish events caused by: client is not connected|
 |ERROR|pipeline/output.go:121|Failed to publish events: client is not connected|

What I don't understand is :

Why is the harvester started for one logfile?
Why is the client in NOT CONNECTED while the connection to backend is established?

Thanks all for your help!

yemloyeydu · April 12, 2019, 2:19pm

Are you facing the issue right after the udpdate? As that is the case for me. no solution yet!

nyarlath · April 16, 2019, 7:28am

Hello,

No issue is solved, I had two logstash conf that used the same port (5044).
Once i removed one of the conf, everything went back to normal.

system · May 14, 2019, 7:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending log from filebeat to logstash error: Failed to publish events caused by: lumberjack protocol error Beats filebeat	6	6100	November 17, 2019
Filebeat error- Failed to publish events caused by: lumberjack protocol error Logstash	1	505	September 27, 2021
Filebeat Couldn't Send Logs to Logstash Beats filebeat	7	1095	September 23, 2019
Filebeat to logstash - connectivity issue Beats filebeat	4	537	October 17, 2019
Getting " ERR Failed to publish events caused by: lumberjack protocol error" in Filebeat Beats filebeat	5	11521	December 5, 2017

[Filebeat IIS] lumberjack protocol error

Related topics