Invalid version of beats protocol: 69

e-ferrari · December 21, 2023, 10:36pm

Hello,
I'm completely new to ELK.
I'm reading the doc and try to execute this:

But i got an error from logstash:

[2023-12-21T23:21:37,978][WARN ][io.netty.channel.DefaultChannelPipeline][main][c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:426) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:393) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:376) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:305) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:61) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:286) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.100.Final.jar:4.1.100.Final]
        at java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
        at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.7.2.jar:?]
        at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.7.2.jar:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]

logstash and filebeat run on the same server.
This is my filebeat.yml:

- type: log
  paths:
    - /path/to/file/logstash-tutorial.log
output.logstash:
  hosts: ["localhost:5044"]

I start filebeat this way:

/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -d "publish"

After that i start logstash:

/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/first-pipeline.conf --config.reload.automatic

This is my first-pipeline.conf:

input {
  beats {
    ssl => "false"
    port => "5044"
  }
}

# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }

output {
  stdout { codec => rubydebug }
}

Then i get the error.
When i first start logstash and afterwards

root@suricata:/etc/filebeat# /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml test output

then i get:

{"log.level":"info","@timestamp":"2023-12-21T23:33:25.358+0100","log.origin":{"file.name":"instance/beat.go","file.line":806},"message":"Home path: [/usr/share/filebeat/bin] Config path: [/usr/share/filebeat/bin] Data path: [/usr/share/filebeat/bin/data] Logs path: [/usr/share/filebeat/bin/logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-12-21T23:33:25.358+0100","log.origin":{"file.name":"instance/beat.go","file.line":814},"message":"Beat ID: d64a8bc7-2c9f-4ac7-a499-7daa78227552","service.name":"filebeat","ecs.version":"1.6.0"}
logstash: localhost:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

I saw other postings to this problem but they didn't help me.

Thanks for any help.

Bernd

stephenb · December 21, 2023, 11:08pm

Hi @e-ferrari Welcome to the community.

Is that your entire filebeat.yml? if so you are missing the first line

filebeat.inputs:
- type: log
  paths:
    - /path/to/file/logstash-tutorial.log 
output.logstash:
  hosts: ["localhost:5044"]

And What version are all the components...
And did you make sure you downloaded the correct components for your architecture / OS

leandrojmp · December 22, 2023, 12:22pm

The log you shared is not an ERROR, it is an WARN, this means that something is not correct, but things should work as expected.

You didn't say if you are getting any output in Logstash or not, are you getting output from your filebeat?

e-ferrari · December 22, 2023, 12:44pm

Is that your entire filebeat.yml? if so you are missing the first line
No, i have the first line. I just didn't copy it.

And What version are all the components...
filebeat: 8.11.3
logstash: 8.11.3-1
elasticsearch 8.11.3
And did you make sure you downloaded the correct components for your architecture / OS
yes. I followed the instructions from Elastic documentation | Elastic .

Bernd

leandrojmp · December 22, 2023, 1:09pm

But are you getting any data in Logstash? You didn't answer that.

The configuration you shared would not generate this warning as this warning means that there is something trying to connect to your logstash beats input without using the beats protocol.

e-ferrari · December 22, 2023, 1:31pm

I tried to give you the desired information but currently we have network problems and i can't connect the servers.
As soon it will work again i'll give you an answer.

Bernd

e-ferrari · January 1, 2024, 12:35pm

This is an excerpt from the output from filebeat:

{"log.level":"info","@timestamp":"2024-01-01T13:17:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82104320}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"time":{"ms":10},"value":150},"user":{"ticks":100,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":180071},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18554936,"memory_total":63315272,"rss":111144960},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.94,"15":4.39,"5":4.56,"norm":{"1":0.6175,"15":0.5488,"5":0.57}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:17:49.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82206720}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"value":150},"user":{"ticks":100}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":210070},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18820408,"memory_total":63580744,"rss":111689728},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.88,"15":4.41,"5":4.58,"norm":{"1":0.61,"15":0.5513,"5":0.5725}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:18:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":82223104}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":150,"value":150},"user":{"ticks":100}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":240071},"version":"8.11.3"},"memstats":{"gc_next":36429848,"memory_alloc":18950520,"memory_total":63710856,"rss":111689728},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.57,"15":4.4,"5":4.54,"norm":{"1":0.5713,"15":0.55,"5":0.5675}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:18:49.069+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":67952640}}}},"cpu":{"system":{"ticks":50},"total":{"ticks":170,"time":{"ms":20},"value":170},"user":{"ticks":120,"time":{"ms":20}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":270072},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":17888912,"memory_total":63975128,"rss":97726464},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":4.57,"15":4.4,"5":4.54,"norm":{"1":0.5713,"15":0.55,"5":0.5675}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:19:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68014080}}}},"cpu":{"system":{"ticks":60,"time":{"ms":10}},"total":{"ticks":180,"time":{"ms":10},"value":180},"user":{"ticks":120}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":300071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18152992,"memory_total":64239208,"rss":97726464},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.25,"15":4.46,"5":4.71,"norm":{"1":0.6563,"15":0.5575,"5":0.5888}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:19:49.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68071424}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":180,"value":180},"user":{"ticks":120}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":330071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18413408,"memory_total":64499624,"rss":98205696},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.03,"15":4.47,"5":4.71,"norm":{"1":0.6288,"15":0.5588,"5":0.5888}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-01-01T13:20:19.068+0100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":68108288}}}},"cpu":{"system":{"ticks":60},"total":{"ticks":190,"time":{"ms":10},"value":190},"user":{"ticks":130,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":10},"info":{"ephemeral_id":"dff244c2-d37a-4b57-9a34-4859b1d93e94","uptime":{"ms":360071},"version":"8.11.3"},"memstats":{"gc_next":36371712,"memory_alloc":18785704,"memory_total":64871920,"rss":98205696},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":5.15,"15":4.5,"5":4.77,"norm":{"1":0.6438,"15":0.5625,"5":0.5962}}}},"ecs.version":"1.6.0"}}

This is my output immediately after starting logstash:

/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2024-01-01T13:23:05,712][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2024-01-01T13:23:05,719][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.11.3", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [x86_64-linux]"}
[2024-01-01T13:23:05,721][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2024-01-01T13:23:06,005][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2024-01-01T13:23:06,552][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-01-01T13:23:06,860][INFO ][org.reflections.Reflections] Reflections took 136 ms to scan 1 urls, producing 131 keys and 463 values
[2024-01-01T13:23:07,912][WARN ][logstash.inputs.beats    ] You are using a deprecated config setting "ssl" set in beats. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Use 'ssl_enabled' instead. If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"ssl", :plugin=><LogStash::Inputs::Beats port=>5044, ssl=>false, id=>"c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf", enable_metric=>true, debug=>false, codec=><LogStash::Codecs::Plain id=>"plain_dd502885-d4f7-48d3-83a5-9a3b1a07e7da", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl_enabled=>false, ssl_client_authentication=>"none", ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, ssl_cipher_suites=>["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], ssl_supported_protocols=>["TLSv1.2", "TLSv1.3"], client_inactivity_timeout=>60, executor_threads=>8, add_hostname=>false, tls_min_version=>1, tls_max_version=>1.3>}
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/amazing_print-1.5.0/lib/amazing_print/formatter.rb:37: warning: previous definition of cast was here
[2024-01-01T13:23:08,169][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2024-01-01T13:23:08,206][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/etc/logstash/first-pipeline.conf"], :thread=>"#<Thread:0x3a785da0 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-01-01T13:23:08,819][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.61}
[2024-01-01T13:23:08,832][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
[2024-01-01T13:23:08,837][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-01-01T13:23:08,845][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2024-01-01T13:23:08,909][INFO ][org.logstash.beats.Server][main][c6b88577022f3da3a783802482eb011c4d6a9c88794e0502ef15d9211cb97fcf] Starting server on port: 5044

This is what i get after some seconds:

         "event" => {
        "original" => "71.212.224.97 - - [04/Jan/2015:05:27:35 +0000] \"GET /images/web/2009/banner.png HTTP/1.1\" 200 52315 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\""
    },
       "message" => "71.212.224.97 - - [04/Jan/2015:05:27:35 +0000] \"GET /images/web/2009/banner.png HTTP/1.1\" 200 52315 \"http://www.semicomplete.com/projects/xdotool/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36\"",
           "log" => {
          "file" => {
            "path" => "/root/logstash-tutorial.log"
        },
        "offset" => 20928
    },
         "input" => {
        "type" => "log"
    }
}
{
          "host" => {
        "name" => "suricata"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
         "agent" => {
                "name" => "suricata",
        "ephemeral_id" => "8f8e1d38-dff4-4e03-a8cd-888be0701520",
             "version" => "8.11.3",
                  "id" => "62ed2743-a0d9-485e-931b-da7c6c44c027",
                "type" => "filebeat"
    },
    "@timestamp" => 2023-12-25T12:07:03.235Z,
      "@version" => "1",
           "ecs" => {
        "version" => "8.0.0"
    },
         "event" => {
        "original" => "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 9316 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\""
    },
       "message" => "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 9316 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
           "log" => {
        "offset" => 22508,
          "file" => {
            "path" => "/root/logstash-tutorial.log"
        }
    },
         "input" => {
        "type" => "log"
    }

It seems to work. Isn't it ?

Bernd

Rios · January 1, 2024, 6:43pm

If you are not using SSL, just not set.

input {
  beats {
    port => "5044"
  }
}

The "ssl" parameter is depricated. Should be used: ssl_enabled

e-ferrari · January 1, 2024, 7:24pm

I'm confused. I can't manage it to run properly again.
I start tcpdump this way:
tcpdump -i lo -vv host 127.0.0.1 and port 5044
Afterwards i start filebeat this way:
/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -d "publish"
But i don't get network packets to port 5044 !?!
But there should be some.
If i do:
/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml test output
I get some packets.
When i issue the filebeat command, does the service need to be running ?
Why does the command doesn't send network packets ?

stephenb · January 1, 2024, 7:40pm

If that file has already been read, then nothing will be sent... filebeat does not reread files every time you re-start it; that is by design.

You can

Add lines to the log file and save it
read another file
clean out the filebeat data registry if you are just testing ...

e-ferrari · January 1, 2024, 10:28pm

Hi Stephen,
thanks for this information. I assumed something like this already.

Bernd

system · January 29, 2024, 10:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.