Filebeat not communicating with Logstash, is TLS required?


#1

I have installed LS 5.2.1 and filebeat 5.2.1. (CentOs7) When attempting to ship via filbeat, I am getting the following error in the filebeat log.

2017-02-21T23:25:15-05:00 ERR Connecting error publishing events (retrying): Get http://192.168.56.102:5044: read tcp 192.168.56.101:33570->192.168.56.102:5044: read: connection reset by peer
2017-02-21T23:25:36-05:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=126

I have verified that I can telnet from the filebeat host to the logstash host on port 5044..

The following are the changes that I made to the default /etc/filebeat/filebeat.yml file

  • input_type: log
    document_type: syslog

    Paths that should be crawled and fetched. Glob based paths.

    paths:

    • /var/log/secure
      #- c:\programdata\elasticsearch\logs*

#output.logstash:

The Logstash hosts

hosts: ["192.168.56.102:5044"]

and here is the logstash plugin file that I have in /etc/logstash/conf.d on the logstash host

input {
beats {
port => 5044
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}

I have searched the previous topics and have been unable to find any resolution. Any advice would be greatly appreciated.


(Dirk L√ľneburger) #2

did you try to:

Input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}

#3

The only difference I see is that you have the port number in quotes.... I am trying this now.

Thank you!


#4

I tried with quotes. This did not correct the issue.

input {
beats {
port => "5044"
client_inactivity_timeout => "900"
}
}
output {
stdout { }
elasticsearch { }
}


(Dirk L√ľneburger) #5

i only know the error from trying to get filebeat and logstash working on an SSL connection, with the wrong certificate.

and logstash is starting without any problem?


(Steffen Siering) #6

the read timeout indicates filebeat has pushed the events, but the remote host closing the connection while filebeat is waiting for the ACK.

Which logstash-input-beats version is installed? Consider upgrading the plugin to the most recent version. Some users did report version 3.1.10 of the plugin fixing this issue for them.

Note:
Well, TSL/SSL also use read/write operations and the java-code seems to just close connection on certificate failure, which would give you a similar error message. But as you are not using TLS, the error happens waiting for ACK from logstash.


(system) #7

This topic was automatically closed after 21 days. New replies are no longer allowed.