I have a full ELK stack on a Ubuntu VM hosted in Azure, Logstash has the latest Beats plugin installed. I also have a Windows VM with Winlogbeat that is pointed at Logstash.
2017-10-16T15:10:40+01:00 ERR Connecting error publishing events (retrying): Get http://External:5044: read tcp Internal:51713->External:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017-10-16T15:11:03+01:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=125 uptime={"server_time":"2017-10-16T14:11:03.2071851Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"42m29.9711865s","uptime_ms":"2549971186"}
2017-10-16T15:11:33+01:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-10-16T14:11:33.2069213Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"42m59.9709227s","uptime_ms":"2579970922"}
2017-10-16T15:11:41+01:00 ERR Connecting error publishing events (retrying): Get http://External:5044: read tcp Internal:51714->External:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017-10-16T15:12:03+01:00 INFO Non-zero metrics in the last 30s: libbeat.es.publish.read_errors=1 libbeat.es.publish.write_bytes=125 uptime={"server_time":"2017-10-16T14:12:03.2057994Z","start_time":"2017-10-16T13:28:33.2359986Z","uptime":"43m29.9698008s","uptime_ms":"2609969800"}
The above logs are from Winlogsbeats on the Windows VM
I have also run TCP dump on port 5044 on the ELK Ubuntu VM and I can see the TCP handshake occurring then a reset packet is sent to Winlogbeat and the connection is reset and another TCP handshake occurs.
[2017-10-16T14:22:41,774][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:29640] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
[2017-10-16T14:23:41,842][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:16379] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 69
[2017-10-16T14:23:41,842][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:16379] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
[2017-10-16T14:24:41,909][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:9044] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 69
[2017-10-16T14:24:41,909][INFO ][org.logstash.beats.BeatsHandler] [local: Internal:5044, remote: External:9044] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
As you can see above the logs from Logstash show the constant reset of the connection.
#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
# Boolean flag to enable or disable the output module.
enabled: false
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
hosts: ["localhost:9200"]
#----------------------------- Logstash output ---------------------------------
#output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
# The Logstash hosts
hosts: ["External:5044"]
As you can see above, my Winlogbeat config file (This is the only part relevant as everything else is left as default) I have tried deleting and commenting out the Elasticsearch part of the config and doing either causes Winlogbeat to not run.
input {
beats {
port => 5044
}
}
As you can see above, my Logstash Beats input.
Any assistance would be much appreciated.
Cheers,
G