Hi, I have had filebeat/logstash/elasticsearch running successfully on (I'll call it) boxA for several weeks. Recently I had the need to set up on (I'll call it) boxB. I am using the same version of the elk components on both boxes. I am using the same filebeat.yml on both boxes. I am using the same logstash.conf and logstash.yml on both boxes.
With logstash and filebeat running on boxB, I noticed that updated log file picked up from filebeat was not being processed by logstash. When I looked at the logstash log I noticed:
~stuff at start of line~ Failed to connect to backoff(async(tcp://localhost:5044)): dial tcp 127.0.0.1:5044)) connect: connection refused
filebeat would get the same error with each attempt to reconnect.
logstash did not indicate any error when starting up. The salient messages at startup (as far as 5044) are:
~stuff at start of line~ Beats inputs: Starting input listener {:address=>"0.0.0:5044}
~stuff at start of line~ Starting server on port: 5044
~stuff at start of line~ Successfully started logstash API endpoint {: port=>9600}
, implying a successful start
Here is logstash.conf input section:
input {
beats {
port=> 5044
type=> "log"
}
}
Interestingly, on boxA, once logstash is started I can see that it is listening on 5044:
-bash-blah$ sudo lsof -i -P -n | grep 5044
~stuff at start of line~ TCP *:5044 (LISTEN)
,on box B, same lsof command returns nothing.
Finally, I am told with great confidence by the sys admin team responsible that all ports are open on boxB .
I would be extremely grateful for any ideas of how to continue with troubleshooting and fixing my problem. Grateful for any response. Thank you!