Not accept logs when beats pointing to logstash

i have 3 beats winlogbeat (server os windows), filebeat and auditbeat (server os linux). when i pointing winlogbeat to logstash there's no problem to receive log.

but when i pointing filebeat and auditbeat to logstash, why no logs are received, but when I point directly to the elasticsearch server the logs are accepted properly?

what's wrong with my configuration?

Can we see your configuration (beats and logstash)?

Did you setup the indices first? See Load the Elasticsearch index template | Auditbeat Reference [7.12] | Elastic


    # Each - is an input. Most options can be set at the input level, so
    # you can use different inputs for various configurations.
    # Below are the input specific configurations.

    - type: log

      # Change to true to enable this input configuration.
      enabled: true

      # Paths that should be crawled and fetched. Glob based paths.
        #- /var/log/*.log
        #- /var/log/messages*
        #- /var/adm/syslog.log
         - /var/log/auth.log
         - /var/log/syslog

        #- c:\programdata\elasticsearch\logs\*

here's for the output

# ---------------------------- Elasticsearch Output ----------------------------
  # Array of hosts to connect to.
  #hosts: [""]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

# ------------------------------ Logstash Output -------------------------------
  # The Logstash hosts
  hosts: [""]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/filebeat/logstash-forwarder.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"


in logstash i make this 3 file

Your Filebeat config looks fine. What does filebeat test output show?

And when running Filebeat what's in the FIlebeat log?

the test ouput.
even though all ports have been opened but why?

filebeat log

From the filebeat host what happens when you run

telnet 5044

"no route to host"

Well then you have a network connectivity issue between the filebeat host and the Logstash host that needs to be solved. FW, subnet, routing etc. something

It's not a Filebeat issue.

aaah i see, but when i pointing to server elasticsearch there's no problem, whereas one ip segment with logstash server

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.