Logstash beats: 69/71 error

Logstash configuration:

input {
  beats {
    port => 9443
    host => "0.0.0.0"
    ssl => false
  }
}
filter {
  ...
}
output {
  ...
  }
  stdout{}
}

It looks like logstash is having an issue with the beats tag as I get the following error:

Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
Handling exception: io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 71 (caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 71)

I haven't set up filebeat but I know in the past that logstash should still work without filebeat running. Any help would be much appreciated

Those message normally indicate that you have something trying to connect to the port that you configured without using the beats protocol.

Since you said that you haven't set upt filebeat yeat, you probably have something else sending messages to this port in your logstash server using a another protocol, you need to check it with a tcpdump for example.

Generally this means that something that is not speaking the beats protocol is connecting to the input. Amongst the possible causes are:

  1. A beat with SSL enabled connecting to a beat input with SSL disabled
  2. A beat with SSL disabled connecting to a beat input with SSL enabled
  3. A port scanner (on the public internet you can be certain that folks are port scanning you, on a corporate network this may also happen)
  4. Someone else trying to use the same port
  5. In a beat configuration someone uncommented the hosts: line for the logstash output, but left output.logstash commented and output.Elasticsearch uncommented, so that the beat starts talking HTTP to the beats input instead of lumberjack

Thank you both! I did try running:

tcpdump -nnSX port 9443

And was returned an empty result. (I have logstash stopped at the moment)

@Badger, it's not 1-2 or 5 as I don't have filebeat set up

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.