I have setup Filebeat on multiple Linux and macOS machines. They are able to send data to my logstash server (Ubuntu). However, when I try to send data from a Windows machine, I get the following error:
2018-09-24T15:21:40.759-0700 ERROR logstash/async.go:235 Failed to publish events caused by: write tcp 172.28.81.55:62736->172.28.81.195:5044: wsasend: An existing connection was forcibly closed by the remote host.
2018-09-24T15:21:41.760-0700 ERROR pipeline/output.go:92 Failed to publish events: write tcp 172.28.81.55:62736->172.28.81.195:5044: wsasend: An existing connection was forcibly closed by the remote host.
Here is some debugging on my end:
- I am able to telnet from the windows machine to Logstash machine (port 5044)
- The Filebeat version is 6.2.4 and logstash version is 6.2.4 as well.
- Sometimes, on logstash for the windows event, I see an exception thrown as below. Attached is my filbeat config for Windows. What could be happening here?
018-09-24T15:26:22,493][INFO ][org.logstash.beats.BeatsHandler] [local: 172.28.81.195:5044, remote: 172.28.81.55:62999] Handling exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 48 [2018-09-24T15:26:22,494][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception. io.netty.handler.codec.DecoderException: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 48 at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.18.Final.jar:4.1.18.Final] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181] Caused by: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 48 at org.logstash.beats.BeatsParser.decode(BeatsParser.java:92) ~[logstash-input-beats-5.0.13.jar:?] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-all-4.1.18.Final.jar:4.1.18.Final] ... 8 more
Filebeat config
filebeat.prospectors:
- type: log
paths:
- C:\Users\vc-tools\test.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: falsesetup.template.settings:
index.number_of_shards: 3output.logstash:
hosts: ["logstash-ip":5044"]