Logstash Listening on port 8080 got struck

Hi Everyone, I'm new to ELK and go-through handful of articles & videos , I setup ELK for our projects. When I do POC on setup ELK & Filebeat in same machine, it was working fine but when we planned to separate ELK to separate machine and filebeat in our apps running machine, I'm facing this issue. The issue is I configured Logstash listening port as 8080 where we have elastic & kibana services are running and when I start logstash service, it got struck . Please check it's log here :

[2022-02-02T12:50:52,249][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2022-02-02T12:50:52,258][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.16.3", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [linux-x86_64]"}
[2022-02-02T12:50:53,642][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-02-02T12:50:54,959][INFO ][org.reflections.Reflections] Reflections took 138 ms to scan 1 urls, producing 119 keys and 417 values 
[2022-02-02T12:50:56,408][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost"]}
[2022-02-02T12:50:56,692][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2022-02-02T12:50:56,875][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2022-02-02T12:50:56,888][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (7.16.3) {:es_version=>7}
[2022-02-02T12:50:56,890][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2022-02-02T12:50:57,005][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>7, :ecs_compatibility=>:disabled}
[2022-02-02T12:50:57,156][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/logstash.conf"], :thread=>"#<Thread:0x571a1cc0 run>"}
[2022-02-02T12:50:58,164][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.0}
[2022-02-02T12:50:58,187][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:8080"}
[2022-02-02T12:50:58,210][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2022-02-02T12:50:58,292][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2022-02-02T12:50:58,388][INFO ][org.logstash.beats.Server][main][a161e426423a9bc3ce40cd18524483c3cacc828740d1b01f62ea735dd489c793] **Starting server on port: 8080**```

Welcome to our community!

it's not stuck, it's listening on that port and and running and waiting for traffic.

@warkolm Thank you for you response!

I configured filebeat in another machone where my apps is running and below is filebeat.yml

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /opt/tomcat/latest/logs/jobs/services/apps.log
    #- c:\programdata\elasticsearch\logs\*

and

  # The Logstash hosts
  hosts: ["<logstashhost>:8080"]```

I'm able telnet this host & port from app machine.
I'm not sure, what I'm doing wrong here :(

I think you'd need to share your Filebeat logs to see what's happening.

When I tried to start filebeat & check it's status, I'm getting below error ```● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-02-04 20:44:54 PST; 4h 40min ago
Docs: Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic
Process: 645419 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 645419 (code=exited, status=1/FAILURE)

Feb 04 20:44:54 l10n-pmi-prod-backend systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
Feb 04 20:44:54 l10n-pmi-prod-backend systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Feb 04 20:44:54 l10n-pmi-prod-backend systemd[1]: filebeat.service: Start request repeated too quickly.
Feb 04 20:44:54 l10n-pmi-prod-backend systemd[1]: filebeat.service: Failed with result 'exit-code'.
Feb 04 20:44:54 l10n-pmi-prod-backend systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..``` but when I start sudo /usr/.../filebeat -c /etc/filebeat/filebeat.yml -> it works but it stops when I closed my terminal

If you are sending data from filebeat you need to use the beats input for logstash

The http endpoint is not going to work as you expect.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.