Filebeats cannot push events to logstash

Dear team,

could you please give me a hint what to do?
We have all Elasticstack on version 7.9.2 (ELS, Logstash, Filebeats, Kibana).
From filebeats towards logstash no TLS is used.

Here is the error found in logstash:

[2021-09-27T17:34:22,620][INFO ][][main][8d69d8d10a5180ce75149457893c4765bbb9f074270c3cef2aa4df5225038919] [local:, remote:] Handling exception: Invalid version of beats protocol: -12
[2021-09-27T17:34:22,621][WARN ][][main][8d69d8d10a5180ce75149457893c4765bbb9f074270c3cef2aa4df5225038919] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: Invalid version of beats protocol: -12
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInactive( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at$300( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at$ ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$ [netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.util.internal.ThreadExecutorMap$ [netty-all-4.1.49.Final.jar:4.1.49.Final]
	at [netty-all-4.1.49.Final.jar:4.1.49.Final]
	at [?:?]
Caused by: Invalid version of beats protocol: -12
	at ~[logstash-input-beats-6.0.11.jar:?]
	at ~[logstash-input-beats-6.0.11.jar:?]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode( ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
	... 11 more

Here is filbeat config:

# ============================== General ==============================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: "filebeat-kibana"

# ============================== Paths ==============================
path.home: "/app/global/filebeat/filebeat-7.9.2" "/app/products/filebeat/data"
path.config: "/app/products/filebeat/conf"
path.logs: "/app/products/filebeat/logs"

# ============================== Filebeat inputs ==============================
  enabled: true
  path: /app/products/filebeat/conf/prospectors.d/*.yml

# ================================== Filebeat Outputs ===================================
# ------------------------------ Logstash Output -------------------------------

    hosts: ["", ""]
    loadbalance: true

# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: info
logging.to_files: true
logging.to_syslog: false
    name: filebeat.log
    permissions: 0644
    keepfiles: 30
    interval: 24h

What is your logstash configuration ? Input -> Filter -> Output

There is no error for sure )

We have several other beats delivering to our system having different version.


input {
  beats {
    port => 5044
    host => "ip_of_server"

Filter pipelines we have many currently so I will not pass here.

Is it this single address generating the errors?

That is the address of filebeat instance which also has issues.
2021-09-27T17:30:43.123+0200 ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: write tcp> write: connection reset by peer

Can you share the filters and output? Alternatively, for a test, leave out the filters for now and see what errors are generated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.