Filebeat refuse the connection with logstash

Elastic Stack Beats
1

while shipping the log filebeat give an error i.e. INFO Connecting error publishing events (retrying): dial tcp 10.228.13.59:5044: getsockopt: connection refused

my logstash configuration file is

input {
beats {
port => 5044
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"

}
}

and filebeat configuration file is

output:

Logstash as output

logstash:
# The Logstash hosts
hosts: ["10.228.13.59:5044"]

TLS is not enabled

2
  • Verify that Logstash really is listening on port 5044 (use e.g. netstat).
  • Verify that there's no firewall blocking the access.
3

yes firewall is ok and logstash listening port 5044

4

So telnet 10.228.13.59 5044 works?

5

yes it works

6

did you run telnet from the machine filebeat is running on? The error is generated by the OS, as the OS could not establish a connection on TCP level.

7

thanks for the reply

now i'm not able to connect telnet connection and also I've checked the logstash log file the error is

"2017-01-11T10:46:15,840][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
[2017-01-11T10:46:19,012][WARN ][logstash.shutdownwatcher ] {}
"

8

no it is not working "telnet 10.228.13.59 5044"

9

no it is not working "telnet 10.228.13.59 5044"

If Logstash indeed is running it seems you have a network issue. That's hard for us to debug.

10

thank you sir but now telnet connection is working fine and also the connection refuse error is not coming in filebeat.... but still log is not coming

one more thing is that while using this command "curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'" o/p is coming

11

thank you sir but now telnet connection is working fine and also the connection refuse error is not coming in filebeat.... but still log is not coming

What's in Logstash's log? The "No living connections are detected" message you posted earlier is probably not the only interesting message. What does your elasticsearch output plugin configuration look like?

one more thing is that while using this command "curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'" o/p is coming

"o/p"?

12

Thanks for your valuable time sir now everything is fine :smiley: thankyou for your suggestion

i think problem is, filebeat was not communicating with 5044/tcp I enable that in ufw after that
telnet connection start working.

Now I'm working on GeoIP field so once again thank you :slight_smile:

13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.