Filebeat to Logstash ERROR, wsasend, wsarecv

loutocky · January 31, 2017, 12:40pm

Hi,

I am using ELK stack version 5.1.2 and I have problem with sending logs from one worker (node) to central server. Everything I configured on localhost and it worked perfectly, but on development environment not. On localhost I used SSL, but now I turned it off. So my conf file of filebeat is:

filebeat.prospectors:
- input_type: log

paths:
    - e:\logs\*.log

document_type: xxx_log

output.logstash:
  hosts: ["xxxx:5043"]

logging.level: error
logging.to_syslog: true

logging.files:
  rotateeverybytes: 10485760 # = 10MB

Logstash configuration:

input {
    beats {
        port => "5043"
    }
}
filter {
	if [type] == "xxx_log" {     
        multiline {
            pattern => "^TID"
            negate => true
            what => "previous"
            }
        grok {
            break_on_match => false
            match =>  [ "message", "TID: \[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{JAVACLASS:java_class}\] \(%{GREEDYDATA:thread}\) - (?<log_message>(.|\r|\n)*)"]
        }
    }
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
		user => "elastic"
		password => "changeme"
		index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    }
}

Ok, when I add line to log file, for example:
TID: [2017-01-19 13:37:18] INFO [App.java] (main) - Info test...

Filebeat starts to collect data, after successfull harvest I am getting:

ERR Failed to publish events caused by: write tcp yyyy:51992->xxxx:5043: wsasend: An existing connection was forcibly closed by the remote host.

Nothing in log of Logstash.

Firewall is turned off, when I open telnet from WORK node on port 5043 message will come to central server because Logstash say in log file, that I send invalid frame type, for example I send only some POST to test if port 5043 is open. So the port is open, but the elastic is empty. Sometimes, I do not know why, I am getting error in Filebeat log:

wsarecv: An existing connection was forcibly closed by the remote host.
This line generates Logstash log:

11:45:31.094 [nioEventLoopGroup-4-2] ERROR org.logstash.beats.BeatsHandler - Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 83
13:31:43.139 [nioEventLoopGroup-4-4] ERROR org.logstash.beats.BeatsHandler - Exception: An existing connection was forcibly closed by the remote host

Thank you for any advice.
Jaroslav

system · February 28, 2017, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.