Logstash Constantly Terminating WinLogBeats Connection


(G T) #1

I have a full ELK stack on a Ubuntu VM hosted in Azure, Logstash has the latest Beats plugin installed. I also have a Windows VM with Winlogbeat that is pointed at Logstash.

2017-10-16T15:10:40+01:00 ERR Connecting error publishing events (retrying): Get http://External:5044: read tcp Internal:51713->External:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017-10-16T15:11:03+01:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=125 uptime={"server_time":"2017-10-16T14:11:03.2071851Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"42m29.9711865s","uptime_ms":"2549971186"}
2017-10-16T15:11:33+01:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-10-16T14:11:33.2069213Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"42m59.9709227s","uptime_ms":"2579970922"}
2017-10-16T15:11:41+01:00 ERR Connecting error publishing events (retrying): Get http://External:5044: read tcp Internal:51714->External:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017-10-16T15:12:03+01:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=125 uptime={"server_time":"2017-10-16T14:12:03.2057994Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"43m29.9698008s","uptime_ms":"2609969800"}

The above logs are from Winlogsbeats on the Windows VM

I have also run TCP dump on port 5044 on the ELK Ubuntu VM and I can see the TCP handshake occurring then a reset packet is sent to Winlogbeat and the connection is reset and another TCP handshake occurs.

[2017-10-16T14:22:41,774][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:29640] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
[2017-10-16T14:23:41,842][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:16379] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 69
[2017-10-16T14:23:41,842][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:16379] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
[2017-10-16T14:24:41,909][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:9044] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 69
[2017-10-16T14:24:41,909][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:9044] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84

As you can see above the logs from Logstash show the constant reset of the connection.

#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
  # Boolean flag to enable or disable the output module.
  enabled: false

  # Array of hosts to connect to.
  # Scheme and port can be left out and will be set to the default (http and 9200)
  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
  hosts: ["localhost:9200"]

#----------------------------- Logstash output ---------------------------------
#output.logstash:
  # Boolean flag to enable or disable the output module.
  enabled: true

  # The Logstash hosts
  hosts: ["External:5044"]

As you can see above, my Winlogbeat config file (This is the only part relevant as everything else is left as default) I have tried deleting and commenting out the Elasticsearch part of the config and doing either causes Winlogbeat to not run.

input {
  beats {
    port => 5044
  }
}

As you can see above, my Logstash Beats input.

Any assistance would be much appreciated.

Cheers,

G


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.