Logstash output loki tcp error

bianca6 · February 25, 2022, 3:44pm

Hi everyone!

I have a first pipeline running well Fileabeat -> Logstash -> Elasticsearch.
Now I'm trying to run Fileabeat -> Logstash -> Loki but there is a connection error, the message come from Filebeat:

{"log.level":"error","@timestamp":"2022-02-25T16:32:05.518+0100","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: write tcp 127.0.0.1:55224->127.0.0.1:5044: wsasend: An existing connection was forcibly closed by the remote host.","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2022-02-25T16:32:06.727+0100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: write tcp 127.0.0.1:55224->127.0.0.1:5044: wsasend: An existing connection was forcibly closed by the remote host.","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"info","@timestamp":"2022-02-25T16:32:06.727+0100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(async(tcp://localhost:5044))","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"info","@timestamp":"2022-02-25T16:32:06.729+0100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(async(tcp://localhost:5044)) established","service.name":"filebeat","ecs.version":"1.6.0"}

I don't understand this error "An existing connection was forcibly closed by the remote host".

Regarding my Logstash configuration, I copy paste the one for Elasticsearch, and I just changed the output:

input {
  beats {
    port => "5044"
  }
}
filter {
  grok {
    match => {"message" => '<my very long grok>'}
  }
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS"]
    target => "timestamp"
  }
  mutate {
    remove_field => ["[tags]", "[agent]", "[log]", "[ecs]", "[version]", "[event]", "[host]", "[message]", "[@version]", "[input]"]
  }
}
output {
  loki {
    url => "http://localhost:3100/loki/api/v1/push"
  }
}

Also, I already activate the output like this:

 .\bin\logstash-plugin install logstash-output-loki

And the response was positiv.

So, back to my problem, there is a tcp error that I do not understand...
Thanks for your time!

system · March 25, 2022, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hi Guys , I got Error whe I connect remote filebeat with logstash Logstash	6	1517	June 17, 2020
Filebeat Couldn't Send Logs to Logstash Beats filebeat	7	1095	September 23, 2019
ERR Failed to publish events caused by: write tcp - wsasend: An existing connection was forcibly closed by the remote host Beats filebeat	1	680	April 22, 2021
ERR Connecting error publishing events (retrying) - help me Beats filebeat	2	1207	July 27, 2017
ERROR logstash/async.go:256 Failed to publish events caused by: write tcp 10.XXX.XX.XX:43522->10.XXX.XX.XX:5044: i/o timeout 2019-08-06T16:04:30.967+0800 ERROR pipeline/output.go:121 Failed to publish events:IOtimeout Beats filebeat	3	2122	September 9, 2019

Logstash output loki tcp error

Related topics