I/o timeout filebeat when send data to logstash

Eti_Huri · January 18, 2021, 11:05am

Hi all:)
I have my logstash vm and my application vm, they don't run in the same subnet
I am trying send logs from my vm application to logstash vm
this is my filebeat.yml

    filebeat.inputs:
    - type: log
      paths:
        - /home/ubuntu/releases/1.1.0/utsoft_fe/server/opdata/log/sql.log
    output.logstash:
        hosts: ["{logstash public ip}:5044"]
        enabled: true

and here my logstah.conf:

input {
    beats {
        port => "5044"
	host => "{private ip}"
	codec => plain {
		charset => "US-ASCII"
	}
    }
}
 filter {}
    output {
        elasticsearch {
            hosts => ["http://{public ip}:9200"]
        	user => "elastic"
        	password => '{my password}'
        }

        stdout{codec=> rubydebug}
    }

when I run the filebeat I get :
Failed to connect to backoff(async(tcp://{}:5044)): dial tcp {}:5044: i/o timeout
when I run "sudo ./filebeat test output"
I get

  connection...
    parse host... OK
    dns lookup... OK
    addresses: {logstah public ip}
    dial up... ERROR dial tcp {logstah public ip}:5044: i/o timeout

when I start logstah I get:

    [INFO ] 2021-01-18 10:37:32.809 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>2.76}
    [INFO ] 2021-01-18 10:37:33.097 [[main]-pipeline-manager] beats - Starting input listener {:address=>"10.0.2.10:5044"}
    [INFO ] 2021-01-18 10:37:33.162 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
    [INFO ] 2021-01-18 10:37:33.397 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
    [INFO ] 2021-01-18 10:37:33.756 [[main]<beats] Server - Starting server on port: 5044

when I check in logstah vm if I received the packages with this command:
"sudo tcpdump -Xni eth0 port 5044"

I can see the pachages for example:

"10:49:34.806583 IP {my app vm}.53790 > 10.0.2.10.5044: Flags [S], seq 2443882348, win 64240, options [mss 1440,sackOK,TS val 394395986 ecr 0,nop,wscale 7], length 0
        0x0000:  4500 003c e27d 4000 3006 1dc0 0d43 3132  E..<.}@.0....C12
        0x0010:  0a00 020a d21e 13b4 91aa af6c 0000 0000  ...........l....
        0x0020:  a002 faf0 c2e6 0000 0204 05a0 0402 080a  ................
        0x0030:  1782 0152 0000 0000 0103 0307            ...R........
"

I tried to add ssl but it dosen't work

versions:
logstash 7.10.0
filebeat version 7.10.1
logstash-input-beats (6.0.13)

any ideas?
thanks

mtojek · January 18, 2021, 2:43pm

Could you check connectivity with logstash using telnet?

Eti_Huri · January 18, 2021, 2:56pm

if I run telnet {logstash_public_ip} 5044 I received: connection timeout
but when I run telnet {logstash_private_ip} 5044 from logstash vm I get

Copy to clipboard

Trying 10.0.2.10...
Connected to 10.0.2.10.
Escape character is '^]'.

mtojek · January 18, 2021, 3:14pm

It means that this is not an issue with Beats, but with your networking stack. I don't know if you're running this on a cloud provider or not, but you need to configure routing or filewall rules.

Eti_Huri · January 20, 2021, 7:49am

I create a new machine and installed there a logstash.
now everything work, thank you:)

system · February 17, 2021, 7:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.