Hi Guys , I got Error whe I connect remote filebeat with logstash

2020-05-20T21:41:56.637+1000 ERROR [logstash] logstash/async.go:279 Failed to publish events caused by: write tcp 192.168.110.144:51994->192.168.110.143:5044: write: connection reset by peer
2020-05-20T21:41:57.783+1000 ERROR [publisher_pipeline_output] pipeline/output.go:127 Failed to publish events: write tcp 192.168.110.144:51994->192.168.110.143:5044: write: connection reset by peer
2020-05-20T21:41:57.783+1000 INFO [publisher_pipeline_output] pipeline/output.go:101 Connecting to backoff(async(tcp://192.168.110.143:5044))
2020-05-20T21:41:57.783+1000 INFO [publisher_pipeline_output] pipeline/output.go:111 Connection to backoff(async(tcp://192.168.110.143:5044)) established
2020-05-20T21:42:10.621+1000 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":130,"time":{"ms":7}},"total":{"ticks":250,"time":{"ms":20},"value":250},"user":{"ticks":120,"time":{"ms":13}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"ade76f61-0f2e-4a69-98f1-63c3a37ba14e","uptime":{"ms":180597}},"memstats":{"gc_next":13648032,"memory_alloc":8564328,"memory_total":20892624},"runtime":{"goroutines":29}},"filebeat":{"events":{"added":3,"done":3},"harvester":{"files":{"38e0250b-891f-44e2-b507-4089e04cd9ee":{"last_event_published_time":"2020-05-20T21:41:55.635Z","last_event_timestamp":"2020-05-20T21:41:55.635Z","read_offset":462}},"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":3,"batches":2,"failed":3,"total":6},"read":{"bytes":6},"write":{"bytes":787,"errors":1}},"pipeline":{"clients":1,"events":{"active":0,"published":3,"retry":6,"total":3},"queue":{"acked":3}}},"registrar":{"states":{"current":1,"update":3},"writes":{"success":1,"total":1}},"system":{"load":{"1":0.03,"15":0.08,"5":0.09,"norm":{"1":0.03,"15":0.08,"5":0.09}}}}}}

I try to use remote server with filebeat to communicate with logstash, but seems logstatch can not receive the log files from remote filebeat

all the compoments is version 7.7 and I already close firewall and selinux.

logstatsh server is 192.168.110.143 and filebeat server is 192.168.110.144

netstats of filebeat is

[root@s03e01elk04 ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*

and

netstats of logstash is

[root@s03e01elk03 ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 127.0.0.1:9600 :::* LISTEN
tcp6 0 0 :::5044 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*

Can you help me ? Thanks

logstash.conf is

input {
beats {
host => "0.0.0.0"
port => 5044
}
}

filter {
grok {
match => {
"message" => '(?[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}) - - [(?[^ ]+ +[0-9]+)] "(?[A-Z]+) (?[^ ]+) HTTP/\d.\d" (?[0-9]+) (?[0-9]+) "[^"]+" "(?[^"]+)"'
}
remove_field => ["message","@version","path"]
}
date {
match => ["requesttime", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
}

output{
elasticsearch{
hosts=>["http://192.168.110.142:9200"]
}
}

filebeat.yml is

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

  • type: log

    Change to true to enable this input configuration.

    enabled: true
    #tail_files: true
    #backoff: "1s"

    Paths that should be crawled and fetched. Glob based paths.

    paths:

    • /usr/local/nginx/logs/access.log
      #- c:\programdata\elasticsearch\logs*
      output.logstash:

    The Logstash hosts

    hosts: ["192.168.110.143:5044"]

are you able to telnet to port 5044 on your logstash from your filebeat server to eliminate connectivity issue ?

also test the logstash output from filebeat by

filebeat -c <filebeat-config> test output

Hi ptamba

Thank you for your reply

are you able to telnet to port 5044 on your logstash from your filebeat server to eliminate connectivity issue ?

Result:

[root@s03e01elk04 xinetd.d]# telnet 192.168.110.143
Trying 192.168.110.143...
telnet: connect to address 192.168.110.143: Connection refused
[root@s03e01elk04 xinetd.d]# telnet 192.168.110.143 5044
Trying 192.168.110.143...
Connected to 192.168.110.143.
Escape character is '^]'.
^CConnection closed by foreign host.

also test the logstash output from filebeat by

filebeat -c <filebeat-config> test output

Result:

logstash: 192.168.110.143:5044...
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.110.143
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK

Do you have any ideas? Thanks

your connectivity looks ok. any error on your logstash logs?

also please user markups when pasting logs or config with the </> button

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.