Filebeat on Windows ==> Logstash Ubuntu

(Kartik Ramachandran) #1

I have setup Filebeat on multiple Linux and macOS machines. They are able to send data to my logstash server (Ubuntu). However, when I try to send data from a Windows machine, I get the following error:

2018-09-24T15:21:40.759-0700 ERROR logstash/async.go:235 Failed to publish events caused by: write tcp> wsasend: An existing connection was forcibly closed by the remote host.

2018-09-24T15:21:41.760-0700 ERROR pipeline/output.go:92 Failed to publish events: write tcp> wsasend: An existing connection was forcibly closed by the remote host.

Here is some debugging on my end:

  1. I am able to telnet from the windows machine to Logstash machine (port 5044)
  2. The Filebeat version is 6.2.4 and logstash version is 6.2.4 as well.
  3. Sometimes, on logstash for the windows event, I see an exception thrown as below. Attached is my filbeat config for Windows. What could be happening here?
018-09-24T15:26:22,493][INFO ][] [local:, remote:] Handling exception:$InvalidFrameProtocolException: Invalid Frame Type, received: 48

[2018-09-24T15:26:22,494][WARN ][] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.

io.netty.handler.codec.DecoderException:$InvalidFrameProtocolException: Invalid Frame Type, received: 48

at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead( ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at$600( ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at$ ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$ [netty-all-4.1.18.Final.jar:4.1.18.Final]

at [netty-all-4.1.18.Final.jar:4.1.18.Final]

at [?:1.8.0_181]

Caused by:$InvalidFrameProtocolException: Invalid Frame Type, received: 48

at ~[logstash-input-beats-5.0.13.jar:?]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection( ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[netty-all-4.1.18.Final.jar:4.1.18.Final]

... 8 more

Filebeat config


  • type: log
    • C:\Users\vc-tools\test.log

path: ${path.config}/modules.d/*.yml
reload.enabled: false

index.number_of_shards: 3

hosts: ["logstash-ip":5044"]

(Pier-Hugues Pellerin) #2

Can you include your logstash configuration? Usually the above is linked to a plain text connection when SSL is required by the beats input.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.