Invalid version of beats protocol: 69

Elastic Stack Logstash
1

Hello,
I'm completely new to ELK.
I'm reading the doc and try to execute this:

But i got an error from logstash:

[2023-12-21T23:21:37,978][WARN ][io.netty.channel.DefaultChannelPipeline][main][c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:426) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:393) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:376) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:305) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:61) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:286) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
        at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.7.2.jar:?]
        at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.7.2.jar:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]

logstash and filebeat run on the same server.
This is my filebeat.yml:

- type: log
  paths:
    - /path/to/file/logstash-tutorial.log
output.logstash:
  hosts: ["localhost:5044"]

I start filebeat this way:

/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -d "publish"

After that i start logstash:

/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/first-pipeline.conf --config.reload.automatic

This is my first-pipeline.conf:

input {
  beats {
    ssl => "false"
    port => "5044"
  }
}

# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }

output {
  stdout { codec => rubydebug }
}

Then i get the error.
When i first start logstash and afterwards

root@suricata:/etc/filebeat# /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml test output

then i get:

{"log.level":"info","@timestamp":"2023-12-21T23:33:25.358+0100","log.origin":{"file.name":"instance/beat.go","file.line":806},"message":"Home path: [/usr/share/filebeat/bin] Config path: [/usr/share/filebeat/bin] Data path: [/usr/share/filebeat/bin/data] Logs path: [/usr/share/filebeat/bin/logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-12-21T23:33:25.358+0100","log.origin":{"file.name":"instance/beat.go","file.line":814},"message":"Beat ID: d64a8bc7-2c9f-4ac7-a499-7daa78227552","service.name":"filebeat","ecs.version":"1.6.0"}
logstash: localhost:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

I saw other postings to this problem but they didn't help me.

Thanks for any help.

Bernd

2

Hi @e-ferrari Welcome to the community.

Is that your entire filebeat.yml? if so you are missing the first line

filebeat.inputs:
- type: log
  paths:
    - /path/to/file/logstash-tutorial.log 
output.logstash:
  hosts: ["localhost:5044"]

And What version are all the components...
And did you make sure you downloaded the correct components for your architecture / OS

3

The log you shared is not an ERROR, it is an WARN, this means that something is not correct, but things should work as expected.

You didn't say if you are getting any output in Logstash or not, are you getting output from your filebeat?

4

Is that your entire filebeat.yml? if so you are missing the first line
No, i have the first line. I just didn't copy it.

And What version are all the components...
filebeat: 8.11.3
logstash: 8.11.3-1
elasticsearch 8.11.3
And did you make sure you downloaded the correct components for your architecture / OS
yes. I followed the instructions from Elastic documentation | Elastic .

Bernd

5

But are you getting any data in Logstash? You didn't answer that.

The configuration you shared would not generate this warning as this warning means that there is something trying to connect to your logstash beats input without using the beats protocol.

6

I tried to give you the desired information but currently we have network problems and i can't connect the servers.
As soon it will work again i'll give you an answer.

Bernd

7

This is an excerpt from the output from filebeat:

{"log.level":"info","@timestamp":"2024-01-01T13:17:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82104320}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"time":{"ms":10},"value":150},"user":{"ticks":100,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":180071},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18554936,"memory_total":63315272,"rss":111144960},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.94,"15":4.39,"5":4.56,"norm":{"1":0.6175,"15":0.5488,"5":0.57}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:17:49.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82206720}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"value":150},"user":{"ticks":100}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":210070},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18820408,"memory_total":63580744,"rss":111689728},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.88,"15":4.41,"5":4.58,"norm":{"1":0.61,"15":0.5513,"5":0.5725}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:18:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82223104}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"value":150},"user":{"ticks":100}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":240071},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18950520,"memory_total":63710856,"rss":111689728},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.57,"15":4.4,"5":4.54,"norm":{"1":0.5713,"15":0.55,"5":0.5675}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:18:49.069+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":67952640}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":170,"time":{"ms":20},"value":170},"user":{"ticks":120,"time":{"ms":20}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":270072},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":17888912,"memory_total":63975128,"rss":97726464},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.57,"15":4.4,"5":4.54,"norm":{"1":0.5713,"15":0.55,"5":0.5675}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:19:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68014080}}}},"cpu":{"system":{"ticks":60,"time":{"ms":10}},"total":{"ticks":180,"time":{"ms":10},"value":180},"user":{"ticks":120}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":300071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18152992,"memory_total":64239208,"rss":97726464},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.25,"15":4.46,"5":4.71,"norm":{"1":0.6563,"15":0.5575,"5":0.5888}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:19:49.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68071424}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":180,"value":180},"user":{"ticks":120}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":330071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18413408,"memory_total":64499624,"rss":98205696},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.03,"15":4.47,"5":4.71,"norm":{"1":0.6288,"15":0.5588,"5":0.5888}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:20:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68108288}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":190,"time":{"ms":10},"value":190},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":360071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18785704,"memory_total":64871920,"rss":98205696},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.15,"15":4.5,"5":4.77,"norm":{"1":0.6438,"15":0.5625,"5":0.5962}}}},"ecs.version":"1.6.0"}}

This is my output immediately after starting logstash:

/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2024-01-01T13:23:05,712][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2024-01-01T13:23:05,719][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.11.3", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [x86_64-linux]"}
[2024-01-01T13:23:05,721][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2024-01-01T13:23:06,005][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2024-01-01T13:23:06,552][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-01-01T13:23:06,860][INFO ][org.reflections.Reflections] Reflections took 136 ms to scan 1 urls, producing 131 keys and 463 values
[2024-01-01T13:23:07,912][WARN ][logstash.inputs.beats    ] You are using a deprecated config setting "ssl" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Use 'ssl_enabled' instead. If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"ssl", :plugin=><LogStash::Inputs::Beats port=>5044, ssl=>false, id=>"c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf", enable_metric=>true, debug=>false, codec=><LogStash::Codecs::Plain id=>"plain_dd502885-d4f7-48d3-83a5-9a3b1a07e7da", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl_enabled=>false, ssl_client_authentication=>"none", ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, ssl_cipher_suites=>["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], ssl_supported_protocols=>["TLSv1.2", "TLSv1.3"], client_inactivity_timeout=>60, executor_threads=>8, add_hostname=>false, tls_min_version=>1, tls_max_version=>1.3>}
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/amazing_print-1.5.0/lib/amazing_print/formatter.rb:37: warning: previous definition of cast was here
[2024-01-01T13:23:08,169][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2024-01-01T13:23:08,206][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/etc/logstash/first-pipeline.conf"], :thread=>"#<Thread:0x3a785da0 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-01-01T13:23:08,819][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.61}
[2024-01-01T13:23:08,832][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
[2024-01-01T13:23:08,837][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-01-01T13:23:08,845][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2024-01-01T13:23:08,909][INFO ][org.logstash.beats.Server][main][c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf] Starting server on port: 5044

This is what i get after some seconds:

         "event" => {
        "original" => "71.212.224.97 - - [04/Jan/2015:05:27:35 +0000] \"GET /images/web/2009/banner.png HTTP/1.1\" 200 52315 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\""
    },
       "message" => "71.212.224.97 - - [04/Jan/2015:05:27:35 +0000] \"GET /images/web/2009/banner.png HTTP/1.1\" 200 52315 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\"",
           "log" => {
          "file" => {
            "path" => "/root/logstash-tutorial.log"
        },
        "offset" => 20928
    },
         "input" => {
        "type" => "log"
    }
}
{
          "host" => {
        "name" => "suricata"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
         "agent" => {
                "name" => "suricata",
        "ephemeral_id" => "8f8e1d38-dff4-4e03-a8cd-888be0701520",
             "version" => "8.11.3",
                  "id" => "62ed2743-a0d9-485e-931b-da7c6c44c027",
                "type" => "filebeat"
    },
    "@timestamp" => 2023-12-25T12:07:03.235Z,
      "@version" => "1",
           "ecs" => {
        "version" => "8.0.0"
    },
         "event" => {
        "original" => "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 9316 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\""
    },
       "message" => "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 9316 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
           "log" => {
        "offset" => 22508,
          "file" => {
            "path" => "/root/logstash-tutorial.log"
        }
    },
         "input" => {
        "type" => "log"
    }

It seems to work. Isn't it ?

Bernd

8

If you are not using SSL, just not set.

input {
  beats {
    port => "5044"
  }
}

The "ssl" parameter is depricated. Should be used: ssl_enabled

9

I'm confused. I can't manage it to run properly again.
I start tcpdump this way:
tcpdump -i lo -vv host 127.0.0.1 and port 5044
Afterwards i start filebeat this way:
/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -d "publish"
But i don't get network packets to port 5044 !?!
But there should be some.
If i do:
/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml test output
I get some packets.
When i issue the filebeat command, does the service need to be running ?
Why does the command doesn't send network packets ?

10

If that file has already been read, then nothing will be sent... filebeat does not reread files every time you re-start it; that is by design.

You can

  1. Add lines to the log file and save it
  2. read another file
  3. clean out the filebeat data registry if you are just testing ...
11

Hi Stephen,
thanks for this information. I assumed something like this already.

Bernd

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.