Logstash error : elasticsearch host unreachable

Hello Community,

I have a logstash running in a virtual box Centos system and purpose is for collecting a log file and parsing and sending it to elasticsearch in my other machine in a virtual box.

I get <> not reachable , retrying connection, maximum retry time out.... kind of errors.

My logstash file as below.

input {
file {
path => "/opt/vulnwhisperer/openvas/*.json"
type => json
codec => json
start_position => "beginning"
tags => [ "openvas_scan", "openvas" ]
}
}
filter
{
...... }

output {
if "openvas" in [tags] {
elasticsearch {
hosts => [ "192.168.56.50:9200" ]
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
}
}
}

** My firewalls in both the machines are off
** I am able to ping the IPs from both machines
** i did not do any changes in logstash.yml file
*** I have a a logstash running in my elasticsearch machine and I am able to ingest different logs through that logstash with output as localhost:9200. so my elasticsearch is working fine.

Kindly guide me on what basic things i am missing. is it a configuration issue ?

ping does not necessarily tell you that much though it is good to test of course...

Can you do e.g. curl http://192.168.56.50:9200 from the Logstash VM?

You should see something like

{
  "name" : "node-name",
  "cluster_name" : "cluster-name",
  "cluster_uuid" : "L5NV4Nc2SAOFtcHF9JYzNQ",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Thanks @A_B - I will test this Once i get into my home lab tonight. Keep you posted

Hello @A_B - I get connection refused error when i do curl. my elastic server/VM is up and running. even other logstash in the elastic server is running and am getting logs in kibana.
as said earlier firewall is disabled in both Vms.

[root@Vuln ~]# curl http://192.168.56.50:9200
curl: (7) Failed connect to 192.168.56.50:9200; Connection refused

Not sure what to tell you... That will have to work before Logstash will be able to connect.

What is the IP of the Logstash VM? I have not used VirtualBox that much but if both IPs are in the same subnet then ports should be open...

@A_B IP of logstash VM is 192.168.56.50
if in case i want to use file beat to collect logs and send to logstash that is running in other VM - will i have same problem ? just to try .
and the log i want is in json format. xxx.json . can i collect json using file beat and use codec=json in logstash filter ?

Sorry for the type in above message
logstash VM is 192.168.56.50
Elasticsearch VM is 192.165.56.10

curl http://192.168.56.10:900 from logstash Vm gives connectivity error
root@Vuln ~]# curl http://192.168.56.10:9200
curl: (7) Failed connect to 192.168.56.10:9200; Connection refused

Quite possibly... Anything you do over the network will have to have correct connectivity to work.

If ping works between your VMs, you might get some more info for troubleshooting by using some sort of port scanner. E.g. nmap.

One thing to test is also if Elasticsearch is only listening on localhost. E.g. lsof -n -P -i :9200 will show you what is listening on port 9200 and on which network interface. If it is 127.0.0.1 you will have to change (or add) network.host: 192.165.56.10 to your elasticsearch.yaml.

Hello @A_B Thank you very much. I changed network.host to my elasticsearch vm IP and connectivity issue is resolved.

Just to add - changing network.host in elasticsearch.yml file caused kibana to break. So needed to change the elastiocsearch IP from localhost to VM IP in kibana.yml file as well.
Same with logstash conf file - output filter doesnt support localhost:9200 it required <>

Thanks for the help. Appreciate it. !!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.