Filebeat refuse the connection with logstash

shubhrant · January 10, 2017, 9:02am

while shipping the log filebeat give an error i.e. INFO Connecting error publishing events (retrying): dial tcp 10.228.13.59:5044: getsockopt: connection refused

my logstash configuration file is

input {
beats {
port => 5044
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"

}
}

and filebeat configuration file is

output:

Logstash as output

logstash:
# The Logstash hosts
hosts: ["10.228.13.59:5044"]

TLS is not enabled

magnusbaeck · January 10, 2017, 10:02am

Verify that Logstash really is listening on port 5044 (use e.g. netstat).
Verify that there's no firewall blocking the access.

shubhrant · January 10, 2017, 10:16am

yes firewall is ok and logstash listening port 5044

magnusbaeck · January 10, 2017, 10:25am

So telnet 10.228.13.59 5044 works?

niks · January 10, 2017, 11:23am

yes it works

steffens · January 10, 2017, 12:22pm

did you run telnet from the machine filebeat is running on? The error is generated by the OS, as the OS could not establish a connection on TCP level.

shubhrant · January 11, 2017, 5:26am

thanks for the reply

now i'm not able to connect telnet connection and also I've checked the logstash log file the error is

"2017-01-11T10:46:15,840][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
[2017-01-11T10:46:19,012][WARN ][logstash.shutdownwatcher ] {}
"

shubhrant · January 11, 2017, 5:26am

no it is not working "telnet 10.228.13.59 5044"

magnusbaeck · January 11, 2017, 6:37am

no it is not working "telnet 10.228.13.59 5044"

If Logstash indeed is running it seems you have a network issue. That's hard for us to debug.

shubhrant · January 11, 2017, 6:42am

thank you sir but now telnet connection is working fine and also the connection refuse error is not coming in filebeat.... but still log is not coming

one more thing is that while using this command "curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'" o/p is coming

magnusbaeck · January 11, 2017, 9:32am

thank you sir but now telnet connection is working fine and also the connection refuse error is not coming in filebeat.... but still log is not coming

What's in Logstash's log? The "No living connections are detected" message you posted earlier is probably not the only interesting message. What does your elasticsearch output plugin configuration look like?

one more thing is that while using this command "curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'" o/p is coming

"o/p"?

shubhrant · January 11, 2017, 9:57am

Thanks for your valuable time sir now everything is fine thankyou for your suggestion

i think problem is, filebeat was not communicating with 5044/tcp I enable that in ufw after that
telnet connection start working.

Now I'm working on GeoIP field so once again thank you

system · February 8, 2017, 9:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.