Logstash forwarding connection refused

Hello,

I am trying to forward logs to any other location for the moment however i have the following error when trying to forward any data what so ever. I have a netcat listener on the opposite end and can see the incoming connection but the elastic logstash side fails.

Just need some help or guidance please.
</>
'''
root@XXXXXXX:/opt/logstash-8.8.0# ./bin/logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["192.168.3.54:7000"] } stdout {} }'
Using bundled JDK: /opt/logstash-8.8.0/jdk
Sending Logstash logs to /opt/logstash-8.8.0/logs which is now configured via log4j2.properties
[2023-07-13T09:34:54,119][INFO ][logstash.runner ] Log4j configuration path used is: /opt/logstash-8.8.0/config/log4j2.properties
[2023-07-13T09:34:54,122][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.8.0", "jruby.version"=>"jruby 9.3.10.0 (2.6.8) 2023-02-01 107b2e6697 OpenJDK 64-Bit Server VM 17.0.7+7 on 17.0.7+7 +indy +jit [x86_64-linux]"}
[2023-07-13T09:34:54,124][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2023-07-13T09:34:54,282][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2023-07-13T09:34:54,957][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2023-07-13T09:34:55,626][INFO ][org.reflections.Reflections] Reflections took 523 ms to scan 1 urls, producing 132 keys and 464 values
[2023-07-13T09:34:58,824][INFO ][logstash.javapipeline ] Pipeline main is configured with pipeline.ecs_compatibility: v8 setting. All plugins in this pipeline will default to ecs_compatibility => v8 unless explicitly configured otherwise.
[2023-07-13T09:34:58,839][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::Elasticsearch", :hosts=>["//192.168.3.54:7000"]}
[2023-07-13T09:35:00,040][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://192.168.3.54:7000/]}}
[2023-07-13T09:35:00,289][INFO ][logstash.outputs.elasticsearch][main] Failed to perform request {:message=>"Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused", :exception=>Manticore::SocketException, :cause=>#<Java::OrgApacheHttpConn::HttpHostConnectException: Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused>}
[2023-07-13T09:35:00,290][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://192.168.3.54:7000/", :exception=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://192.168.3.54:7000/][Manticore::SocketException] Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused"}
[2023-07-13T09:35:00,297][INFO ][logstash.outputs.elasticsearch][main] Data streams auto configuration (data_stream => auto or unset) resolved to true
[2023-07-13T09:35:00,297][WARN ][logstash.outputs.elasticsearch][main] Elasticsearch Output configured with ecs_compatibility => v8, which resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common Schema. Once ECS v8 and an updated release of this plugin are publicly available, you will need to update this plugin to resolve this warning.
[2023-07-13T09:35:00,309][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["config string"], :thread=>"#<Thread:0x563130af@/opt/logstash-8.8.0/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2023-07-13T09:35:04,941][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>4.63}
[2023-07-13T09:35:05,050][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
The stdin plugin is now waiting for input:
[2023-07-13T09:35:05,218][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2023-07-13T09:35:05,297][INFO ][logstash.outputs.elasticsearch][main] Failed to perform request {:message=>"Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused", :exception=>Manticore::SocketException, :cause=>#<Java::OrgApacheHttpConn::HttpHostConnectException: Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused>}
[2023-07-13T09:35:05,298][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://192.168.3.54:7000/", :exception=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://192.168.3.54:7000/][Manticore::SocketException] Connect to 192.168.3.54:7000 [/192.168.3.54] failed: Connection refused"}
'''
</>

Hi @willsy,

Can you check the availability and health of your Elasticsearch cluster? That error looks like it can't reach Elasticsearch.

Hello,

It seems as though the one way data diode is not responding. Thank you for your response.

I tested locally on my machine using NC as a listener with tcpdump on the interface listning to that src and that port and it started coming in.

Seems to be an "other-end-itis" type of deal.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.