Filebeat not communicating with Logstash, is TLS required?

I have installed LS 5.2.1 and filebeat 5.2.1. (CentOs7) When attempting to ship via filbeat, I am getting the following error in the filebeat log.

2017-02-21T23:25:15-05:00 ERR Connecting error publishing events (retrying): Get http://192.168.56.102:5044: read tcp 192.168.56.101:33570->192.168.56.102:5044: read: connection reset by peer
2017-02-21T23:25:36-05:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=126

I have verified that I can telnet from the filebeat host to the logstash host on port 5044..

The following are the changes that I made to the default /etc/filebeat/filebeat.yml file

  • input_type: log
    document_type: syslog

    Paths that should be crawled and fetched. Glob based paths.

    paths:

    • /var/log/secure
      #- c:\programdata\elasticsearch\logs*

#output.logstash:

The Logstash hosts

hosts: ["192.168.56.102:5044"]

and here is the logstash plugin file that I have in /etc/logstash/conf.d on the logstash host

input {
beats {
port => 5044
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}

I have searched the previous topics and have been unable to find any resolution. Any advice would be greatly appreciated.

did you try to:

Input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}

The only difference I see is that you have the port number in quotes.... I am trying this now.

Thank you!

I tried with quotes. This did not correct the issue.

input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}

i only know the error from trying to get filebeat and logstash working on an SSL connection, with the wrong certificate.

and logstash is starting without any problem?

the read timeout indicates filebeat has pushed the events, but the remote host closing the connection while filebeat is waiting for the ACK.

Which logstash-input-beats version is installed? Consider upgrading the plugin to the most recent version. Some users did report version 3.1.10 of the plugin fixing this issue for them.

Note:
Well, TSL/SSL also use read/write operations and the java-code seems to just close connection on certificate failure, which would give you a similar error message. But as you are not using TLS, the error happens waiting for ACK from logstash.

This topic was automatically closed after 21 days. New replies are no longer allowed.