Filebeat to logstash encoding error

Hey, I'm attempting to use docker-elk from GitHub to set up a local ELK stack for testing purposes.
I have the containers running fine. I also configured filebeat on my local machine to monitor nginx logs.

For some reason the logs being pushed to Logstash appear to be encoded/encrypted incorrectly.

If I manually push the logs to Logstash using cat /usr/local/var/log/nginx/access.log | nc -c localhost 5000 the logs appear in Kibana (Observability > Logs). However when Filebeat pushes logs to logstash, they appear with this encoding?

(\"sLm\"\u0002\xFD~\xA0eE\xB1\x85\u001F\xBE?\u0017\x8FK\x89\u001F\xCF\xCF\xDF\xE5*S[H\u0004\xA3\u0019\xF4\u0010\x8AVZɞ@-\x85\xC0i\xB7\xB0_\xD7\u0019\xF3;A\xC5\b\u0006\xE5[\x80;\xE1E!\xDE\xDC\xD3\u0019Ya\xF6\xE8\xEA\xA8\b^\x8F\x88\xB9\x93Wv\x87H`\x98\x9A\u0003\xCB\xF6\xCE\xCC\xDB\xD2\r\xF4y\u001A\xD9\xF4\x9DT(\xA3\xB0\xB8 \xA7\xEFf\xC0\xF7В\x95\x88\x8E\u001A\xC2¶-\xB6$%*\xA55\xF7\u0012}\xDES\x81\xB5\xD6\u0005zUx\xAC\xBDU\u000F>\xED\x9C\xC4B5\x84\xAEj7H\xAA\xB0_\xE2L\x8D\xC6hBUU\xE8J\u0016\x93\xAAu\xA6J\x9B\xA9\xCAf\xC6\u0087\u0004\u0006\xE7\xB9\v\xE716\x80\xB18\xC6\xEA;\x8D\xB5\xC7\xC2\xE1\x8E\xD0+\xD4\\\xB5\x96\xFF\xB6\xB9\u0012I\xA1m\xB1\xD4\xD8x,\fk\x9D\xD0\xD4H\rZ\x89R\xA1\xE7\xD8\u007F\xDA\xE4\u0013\xB6\xE2\t\xDBS\xF9\xD8VX,\r\u0012\xA1\xDAakP\xD7<\u000F\x93\xFB\xF55H\xC0\u0005\xBF\xEFV\xF2\xEB!\xF0\xCF|\xB2\xE5EɅ\xA7x

I'm assuming this must be some kind of SSL Handshake issue based on Googling, however I have set ssl.enabled: false in Filebeat config so I'm a little lost. Is there anything you might know of which could point me in the right direction?


If sending log to logstash with netcat works, then I would assume you are using a tcp input. filebeat sends logs encoded with the lumberjack protocol and you would need a beats input to receive that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.