Problem connecting packetbeat to logstash

El_Mahdi_El_Korri · July 2, 2019, 2:27am

Hi Everyone,

My packetbeat agent won't ship packets to logstash. Could someone give me hint to solve this issue ?

Packetbeat log :

2019-07-02T02:18:24.403Z INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":760,"time":{"ms":11}},"total":{"ticks":2280,"time":{"ms":39},"value":2280},"user":{"ticks":1520,"time":{"ms":28}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"af8fd8a2-49fc-49d6-af15-37ae500e974a","uptime":{"ms":1050161}},"memstats":{"gc_next":42739424,"memory_alloc":23677752,"memory_total":56891272}},"libbeat":{"config":{"module":{"running":0}},"output":{"read":{"errors":1},"write":{"bytes":126}},"pipeline":{"clients":15,"events":{"active":910,"published":11,"retry":1,"total":11}}},"system":{"load":{"1":0.02,"15":0.22,"5":0.22,"norm":{"1":0.02,"15":0.22,"5":0.22}}}}}}
2019-07-02T02:18:35.891Z ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://192.168.31.139:5044)): Get http://192.168.31.139:5044: read tcp 192.168.31.137:34764->192.168.31.139:5044: read: connection reset by peer
2019-07-02T02:18:35.893Z INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(http://192.168.31.139:5044)) with 28 reconnect attempt(s)
2019-07-02T02:18:35.895Z INFO [publish] pipeline/retry.go:189 retryer: send unwait-signal to consumer
2019-07-02T02:18:35.896Z INFO [publish] pipeline/retry.go:191 done
2019-07-02T02:18:35.897Z INFO [publish] pipeline/retry.go:166 retryer: send wait signal to consumer
2019-07-02T02:18:35.898Z INFO [publish] pipeline/retry.go:168 done

Packetbeat configuration:

#----------------------------- Logstash output --------------------------------
#output.logstash:
enabled: true

The Logstash hosts

hosts: ["192.168.31.139:5044"]
loadbalance: true

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

logstash configuration

input {
beats {
port => 5044
}
}

output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Best regards,

P.S: I followed up the instruction to create manual template in the documentation

leprovokateur · July 17, 2019, 1:14pm

You need to get your outouts right:

add "enabled: false" to the elasticsearch stanza and remove the "#" from "#output.logstash:"

Hth,
Robert

system · August 14, 2019, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.