Filebeat not communicating with Logstash, is TLS required?

Lexa · February 22, 2017, 3:02pm

I have installed LS 5.2.1 and filebeat 5.2.1. (CentOs7) When attempting to ship via filbeat, I am getting the following error in the filebeat log.

2017-02-21T23:25:15-05:00 ERR Connecting error publishing events (retrying): Get http://192.168.56.102:5044: read tcp 192.168.56.101:33570->192.168.56.102:5044: read: connection reset by peer
2017-02-21T23:25:36-05:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=126

I have verified that I can telnet from the filebeat host to the logstash host on port 5044..

The following are the changes that I made to the default /etc/filebeat/filebeat.yml file

input_type: log
document_type: syslog

Paths that should be crawled and fetched. Glob based paths.

paths:
- /var/log/secure
  #- c:\programdata\elasticsearch\logs*

#output.logstash:

The Logstash hosts

hosts: ["192.168.56.102:5044"]

and here is the logstash plugin file that I have in /etc/logstash/conf.d on the logstash host

input {
beats {
port => 5044
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}

I have searched the previous topics and have been unable to find any resolution. Any advice would be greatly appreciated.

lueneburger · February 22, 2017, 3:44pm

did you try to:

Input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}

Lexa · February 22, 2017, 4:00pm

The only difference I see is that you have the port number in quotes.... I am trying this now.

Thank you!

Lexa · February 22, 2017, 4:16pm

I tried with quotes. This did not correct the issue.

input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}

lueneburger · February 23, 2017, 11:44am

i only know the error from trying to get filebeat and logstash working on an SSL connection, with the wrong certificate.

and logstash is starting without any problem?

steffens · February 23, 2017, 4:03pm

the read timeout indicates filebeat has pushed the events, but the remote host closing the connection while filebeat is waiting for the ACK.

Which logstash-input-beats version is installed? Consider upgrading the plugin to the most recent version. Some users did report version 3.1.10 of the plugin fixing this issue for them.

Note:
Well, TSL/SSL also use read/write operations and the java-code seems to just close connection on certificate failure, which would give you a similar error message. But as you are not using TLS, the error happens waiting for ACK from logstash.

system · March 15, 2017, 3:02pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
ERR Connecting error publishing events (retrying): Get http://xx.xx.xx.xx:5044: net/http: request canceled while waiting for connection Beats filebeat	6	1126	July 21, 2017
Filebeat Error Beats filebeat	2	630	November 16, 2016
Filebeat refuse the connection with logstash Beats filebeat	12	6445	February 8, 2017
Filebeat not pushing on Logstash, Beats filebeat	20	3823	July 5, 2017
Filebeat SSL to logstash Beats filebeat	4	3054	June 6, 2017

Filebeat not communicating with Logstash, is TLS required?

Paths that should be crawled and fetched. Glob based paths.

The Logstash hosts

Related topics