Filebeat not shipping logs to logstash

Elastic Stack Elasticsearch
1

Hi I am setting up ELK stack for POC.
I have installed ELK 7.17 version. Installed all the packages separately like different machine.
Now i have installed file beat and enabled logstash module but i don't see any logs coming to logstash.
tried few things like.

filebeat test output
logstash: ip:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ip
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

But when i do telnet on the log stash ip from the node. Seeing few errors in log stash like this.

[2022-11-15T12:40:33,032][INFO ][org.logstash.beats.BeatsHandler][main][cccda7e3f21e688691fa7337a0f554a903e80b213415b70f816cb647d30a4675] [local: 10.0.61.141:5044, remote: 10.0.60.127:57066] Handling exception: io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 10 (caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 10)
[2022-11-15T12:40:33,033][WARN ][io.netty.channel.DefaultChannelPipeline][main][cccda7e3f21e688691fa7337a0f554a903e80b213415b70f816cb647d30a4675] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 10

Seen few questions with same error, but i haven't enabled Elasticsearch in filebeat config file.

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
#hosts: ["ip:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: ""
  #password: ""

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["ip:5044"]

Here is the beats input conf file

input {
beats {
port => 5044
ssl => false
}
}
output {
if [fields][type] == "apache_logs"
{
elasticsearch {
hosts => ["ip:9200"]
user => "un"
password => "pwd"
index => "apache-logs"
}
stdout { codec => rubydebug }
}

}

2

It Is shipping logs now. Still i don't understand when ever there is closing connection from telnet i am seeing errors like

[2022-11-16T05:03:11,512][WARN ][io.netty.channel.DefaultChannelPipeline][main][0cc99af57e501e3485f6ffe644653bef15d71919bd5f5e34cdfa67ad68da766d] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 10
3

@rahul_sirugudi

Because telnet does not use the binary beats protocol that logstash is expecting on 5044

So the logstash pipeline throws an exception when telnet closes the connection.

Pretty sure that is expected....

Yup exactly what I get

[2022-11-15T21:17:42,731][INFO ][org.logstash.beats.BeatsHandler][main][96327dff9f4b38d428e0101c36fc4c5a586fb3ebba0b293ecbf84923c571b309] [local: 0:0:0:0:0:0:0:1:5044, remote: 0:0:0:0:0:0:0:1:61070] Handling exception: io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: -1 (caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: -1)

Telnet just test the port and IP is open, it is not necessarily "speaking" the right "language"

4

thank you. I have one question, from previous set up done like 1 year back. In the logstash-plain.log . I used to see all my application logs. In the current set up i am not seeing those. My set up is exact replica with config part. Is that expected or am i missing anything?

5

Please open a new thread with
The current and previous versions of Logstash
You entire pipeline config
Your logstash.yml

And perhaps look at...

Default level logging is INFO

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.