I put filebeat on a prod box and can not get filebeat to push to Logstash on my elkserver box. I am getting the below error from the filebeat.log file
INFO Error publishing events (retrying): read tcp IP:45790->ELK_IP:5044: read: connection reset by peer
telnet works for that ip:5044. I tried making the ip addresses match on filebeat.yml and Logstash config but does not work. Logstash only seems to work if host is localhost. I see nothing in the logs telling me what the issue is. Telnet to port 5044 works so I am at a loss to understand why filebeat can not push a log.
filebeat.yml from Prod box:
...
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
Array of hosts to connect to.
#hosts: ["localhost:9200"]
Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
The Logstash hosts
#hosts: ["localhost:5044"]
hosts: ["xx.0.0.xxx:5044"]
tls:
# List of root certificates for HTTPS server verifications
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
Optional SSL. By default is off.
List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Logging =====================================
...
Logstash config from my elserver box
cat /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
cat /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["xx.0.0.xxx:9200"]
#hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
I think it is something between the yml and output config but can not figure out how to get it working