Hi Guys , I got Error whe I connect remote filebeat with logstash

Elastic Stack Logstash
1

2020-05-20T21:41:56.637+1000 ERROR [logstash] logstash/async.go:279 Failed to publish events caused by: write tcp 192.168.110.144:51994->192.168.110.143:5044: write: connection reset by peer
2020-05-20T21:41:57.783+1000 ERROR [publisher_pipeline_output] pipeline/output.go:127 Failed to publish events: write tcp 192.168.110.144:51994->192.168.110.143:5044: write: connection reset by peer
2020-05-20T21:41:57.783+1000 INFO [publisher_pipeline_output] pipeline/output.go:101 Connecting to backoff(async(tcp://192.168.110.143:5044))
2020-05-20T21:41:57.783+1000 INFO [publisher_pipeline_output] pipeline/output.go:111 Connection to backoff(async(tcp://192.168.110.143:5044)) established
2020-05-20T21:42:10.621+1000 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":130,"time":{"ms":7}},"total":{"ticks":250,"time":{"ms":20},"value":250},"user":{"ticks":120,"time":{"ms":13}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ade76f61-0f2e-4a69-98f1-63c3a37ba14e","uptime":{"ms":180597}},"memstats":{"gc_next":13648032,"memory_alloc":8564328,"memory_total":20892624},"runtime":{"goroutines":29}},"filebeat":{"events":{"added":3,"done":3},"harvester":{"files":{"38e0250b-891f-44e2-b507-4089e04cd9ee":{"last_event_published_time":"2020-05-20T21:41:55.635Z","last_event_timestamp":"2020-05-20T21:41:55.635Z","read_offset":462}},"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":3,"batches":2,"failed":3,"total":6},"read":{"bytes":6},"write":{"bytes":787,"errors":1}},"pipeline":{"clients":1,"events":{"active":0,"published":3,"retry":6,"total":3},"queue":{"acked":3}}},"registrar":{"states":{"current":1,"update":3},"writes":{"success":1,"total":1}},"system":{"load":{"1":0.03,"15":0.08,"5":0.09,"norm":{"1":0.03,"15":0.08,"5":0.09}}}}}}

I try to use remote server with filebeat to communicate with logstash, but seems logstatch can not receive the log files from remote filebeat

all the compoments is version 7.7 and I already close firewall and selinux.

logstatsh server is 192.168.110.143 and filebeat server is 192.168.110.144

netstats of filebeat is

[root@s03e01elk04 ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*

and

netstats of logstash is

[root@s03e01elk03 ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 127.0.0.1:9600 :::* LISTEN
tcp6 0 0 :::5044 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*

Can you help me ? Thanks

2

logstash.conf is

input {
beats {
host => "0.0.0.0"
port => 5044
}
}

filter {
grok {
match => {
"message" => '(?[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}) - - [(?[^ ]+ +[0-9]+)] "(?[A-Z]+) (?[^ ]+) HTTP/\d.\d" (?[0-9]+) (?[0-9]+) "[^"]+" "(?[^"]+)"'
}
remove_field => ["message","@version","path"]
}
date {
match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
}

output{
elasticsearch{
hosts=>["http://192.168.110.142:9200"]
}
}

3

filebeat.yml is

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

  • type: log

    Change to true to enable this input configuration.

    enabled: true
    #tail_files: true
    #backoff: "1s"

    Paths that should be crawled and fetched. Glob based paths.

    paths:

    • /usr/local/nginx/logs/access.log
      #- c:\programdata\elasticsearch\logs*
      output.logstash:

    The Logstash hosts

    hosts: ["192.168.110.143:5044"]

4

are you able to telnet to port 5044 on your logstash from your filebeat server to eliminate connectivity issue ?

also test the logstash output from filebeat by

filebeat -c <filebeat-config> test output

5

Hi ptamba

Thank you for your reply

are you able to telnet to port 5044 on your logstash from your filebeat server to eliminate connectivity issue ?

Result:

[root@s03e01elk04 xinetd.d]# telnet 192.168.110.143
Trying 192.168.110.143...
telnet: connect to address 192.168.110.143: Connection refused
[root@s03e01elk04 xinetd.d]# telnet 192.168.110.143 5044
Trying 192.168.110.143...
Connected to 192.168.110.143.
Escape character is '^]'.
^CConnection closed by foreign host.

also test the logstash output from filebeat by

filebeat -c <filebeat-config> test output

Result:

logstash: 192.168.110.143:5044...
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.110.143
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK

Do you have any ideas? Thanks

6

your connectivity looks ok. any error on your logstash logs?

also please user markups when pasting logs or config with the </> button

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.