Getting " ERR Failed to publish events caused by: lumberjack protocol error" in Filebeat

Elastic Stack Beats
1

Hi,

I am trying to implement ELK with filebeat in some of my servers, As of now i am trying it locally.
When ever i am trying to start the filebeat to send the logs to my logstash its throwing " ERR Failed to publish events caused by: lumberjack protocol error"

-------------Filebeat.yml------------
filebeat.prospectors:

  • input_type: log
    • C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM*

output.logstash:
hosts: ["10.19.121.98:9600"]

--------------logstash.conf---------------------
input {
beats {
type => beats
port => 5044
host => "10.19.121.98"
}
}

----------Fliebeat Logs---------------------------
C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64>filebeat.exe -e -c filebeat.yml
2017/11/06 11:09:11.600876 beat.go:297: INFO Home path: [C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64] Config path: [C:\Users\vinee
tsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64] Data path: [C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64\data] Logs pa
th: [C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64\logs]
2017/11/06 11:09:11.600876 metrics.go:23: INFO Metrics logging every 30s
2017/11/06 11:09:11.600876 beat.go:192: INFO Setup Beat: filebeat; Version: 5.6.3
2017/11/06 11:09:11.600876 logstash.go:90: INFO Max Retries set to: 3
2017/11/06 11:09:11.601376 outputs.go:108: INFO Activated logstash as output plugin.
2017/11/06 11:09:11.601376 publish.go:300: INFO Publisher name: vineetsh02
2017/11/06 11:09:11.604876 async.go:63: INFO Flush Interval set to: 1s
2017/11/06 11:09:11.604876 async.go:64: INFO Max Bulk Size set to: 2048
2017/11/06 11:09:11.605376 beat.go:233: INFO filebeat start running.
2017/11/06 11:09:11.605376 registrar.go:68: INFO No registry file found under: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64\data\re
gistry. Creating a new registry file.
2017/11/06 11:09:11.609376 registrar.go:106: INFO Loading registrar data from C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\filebeat-5.6.3-linux-x86_64\data\reg
istry
2017/11/06 11:09:11.609376 registrar.go:123: INFO States Loaded from registrar: 0
2017/11/06 11:09:11.609876 crawler.go:38: INFO Loading Prospectors: 1
2017/11/06 11:09:11.609876 registrar.go:236: INFO Starting Registrar
2017/11/06 11:09:11.609876 sync.go:41: INFO Start sending events to output
2017/11/06 11:09:11.609876 spooler.go:63: INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2017/11/06 11:09:11.609876 prospector_log.go:65: INFO Prospector with previous states loaded: 0
2017/11/06 11:09:11.609876 prospector.go:124: INFO Starting prospector of type: log; id: 14302591776508246079
2017/11/06 11:09:11.610376 crawler.go:58: INFO Loading and starting Prospectors completed. Enabled prospectors: 1
2017/11/06 11:09:11.611376 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_3_2.log
2017/11/06 11:09:11.611876 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_1_1.log
2017/11/06 11:09:11.611876 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_1_2.log
2017/11/06 11:09:11.612376 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_2_1.log
2017/11/06 11:09:11.612876 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_2_2.log
2017/11/06 11:09:11.613876 log.go:91: INFO Harvester started for file: C:\Users\vineetsh\Downloads\ELK\LogStable\ELK\Logs\CRM\CRMServer_3_1.log
2017/11/06 11:09:11.655376 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:11.655376 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error
2017/11/06 11:09:12.660876 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:12.661376 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error
2017/11/06 11:09:14.665376 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:14.665376 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error
2017/11/06 11:09:18.669876 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:18.670376 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error
2017/11/06 11:09:26.674876 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:26.674876 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error
2017/11/06 11:09:41.597876 metrics.go:39: INFO Non-zero metrics in the last 30s: filebeat.harvester.open_files=6 filebeat.harvester.running=6 filebeat.harvester
.started=6 libbeat.logstash.call_count.PublishEvents=5 libbeat.logstash.publish.read_bytes=30 libbeat.logstash.publish.write_bytes=2092 libbeat.logstash.publish
ed_but_not_acked_events=10210 libbeat.publisher.published_events=2042 registrar.writes=1
2017/11/06 11:09:42.679376 sync.go:85: ERR Failed to publish events caused by: lumberjack protocol error
2017/11/06 11:09:42.679876 single.go:91: INFO Error publishing events (retrying): lumberjack protocol error

2

This should connect to the beats input on port 5044.

3

So this need to change to hosts: ["10.19.121.98:5044"] in filebeat.yml?

4

Yes.

5

Thanks, it worked :grinning:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.