Filebeat on Windows xp forcibly closed by the remote host

pjhu · August 17, 2016, 3:04pm

I am using Filebeat on windows xp ship log to logstash

##Filebeat DEBUG log

2016-08-17T19:34:31+08:00 DBG  output worker: publish 1 events
2016-08-17T19:34:31+08:00 DBG  Try to publish 1 events to logstash with window size 10
2016-08-17T19:34:31+08:00 DBG  output worker: publish 1 events
2016-08-17T19:34:31+08:00 DBG  close connection
2016-08-17T19:34:31+08:00 DBG  0 events out of 1 events sent to logstash. Continue sending ...
2016-08-17T19:34:31+08:00 INFO Error publishing events (retrying): write tcp 10.192.x.x:4647->10.93.x.x:5044: wsasend: An existing connection was forcibly closed by the remote host.
2016-08-17T19:34:31+08:00 INFO send fail
2016-08-17T19:34:31+08:00 INFO backoff retry: 1s
2016-08-17T19:34:32+08:00 DBG  End of file reached: c:\opt\filebeat\3700d.log; Backoff now.
2016-08-17T19:34:32+08:00 DBG  connect
2016-08-17T19:34:32+08:00 DBG  Try to publish 1 events to logstash with window size 5
2016-08-17T19:34:34+08:00 DBG  Start next scan
2016-08-17T19:34:34+08:00 DBG  scan path c:\opt\filebeat\3700d.log
2016-08-17T19:34:34+08:00 DBG  Check file for harvesting: c:\opt\filebeat\3700d.log
2016-08-17T19:34:34+08:00 DBG  Same file as before found. Fetch the state.    
2016-08-17T19:34:34+08:00 DBG  Update existing file for harvesting: c:\opt\filebeat\3700d.log
2016-08-17T19:34:34+08:00 DBG  Not harvesting, file didn't change: c:\opt\filebeat\3700d.log
2016-08-17T19:34:35+08:00 DBG  close connection
2016-08-17T19:34:35+08:00 DBG  0 events out of 1 events sent to logstash. Continue sending ...
2016-08-17T19:34:35+08:00 INFO Error publishing events (retrying): read tcp 10.192.0.10:4673->10.93.219.45:5044: wsarecv: The specified network name is no longer available.
2016-08-17T19:34:35+08:00 INFO send fail

##errors

1. wsasend: An existing connection was forcibly closed by the remote host

2. sarecv: The specified network name is no longer available.

Filebeat Environments

OS: Windows xp sp3
version: 1.2.3

Logstash Environments

os: CentOS 6.7
verison: 2.3.4
DN: logstash.xxxx.com

Network

Windows and CentOS machine have different networks environment, but if I telnet Centos port 5044 on Windows is ok.

##filebeat.yml

filebeat:
  prospectors:
    -
      paths:
        - c:\opt\filebeat\3700d.log
      document_type: 3700d
logging:
  level: debug
  to_files: true
  to_syslog: false
  files:
    path: c:\opt\mybeat
    name: mybeat.log
    keepfiles: 2
output:
  logstash:
    hosts: ["logstash.xxxx.com:5044"]

##logstash.conf:
input {
beats {
port => 5044
}
}
filter {
}
output {
stdout {
codec => rubydebug {metadata => true}
}
}

steffens · August 17, 2016, 3:31pm

did you ping/telnet by domain name or ip address? Did IP change, but DNS entries reported being outdated?

pjhu · August 18, 2016, 12:13am

@steffens thanks for you reply, I ping/telnet by domain name, not ip address.

steffens · August 18, 2016, 9:53am

can you try to ping by IP address? The error message:

2016-08-17T19:34:35+08:00 INFO Error publishing events (retrying): read tcp 10.192.0.10:4673->10.93.219.45:5044: wsarecv: The specified network name is no longer available.

clearly states the currently known ip address. To me it looks like some machine was 'powered off'/'rebooted'.

pjhu · August 19, 2016, 1:52am

Thank you @steffens, I find my network mapping from 10.192.0.10 to domain name 'logstash.xxxx.com ' is not true, so may be the reason for my problems. I should fix the network problem, Thank you again.

system · September 7, 2016, 3:05pm

This topic was automatically closed after 21 days. New replies are no longer allowed.