Remote Filebeat can't send logs to Logstash

Wellguys · January 10, 2019, 9:27am

Hello.

I'm having some problems understanding how to connect a filebeat from another server to my ELK server.
I have a filebeat running on the ELK server with no issue and kibana is showing me all the logs needed, but I constantly get errors from my remote filebeat logs.

Here is the log in question

 ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://<ELKIP>:5044)): lookup <ELKIP> on [::1]:53: read udp [::1]:51277->[::1]:53: read: connection refused

Here is my logstash config

input {
  beats {
    port => 5044
    ssl =>false
  }
}
    filter {
  if [fileset][module] == "system" {
    if [fileset][name] == "auth" {
      grok {
        match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
                  "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]$
        pattern_definitions => {
          "GREEDYMULTILINE"=> "(.|\n)*"
        }
        remove_field => "message"
      }
      date {
        match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
      geoip {
        source => "[system][auth][ssh][ip]"
        target => "[system][auth][ssh][geoip]"
      }
    }
    else if [fileset][name] == "syslog" {
      grok {
        match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system$
        pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
        remove_field => "message"
      }
      date {
        match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
    }
  }
}

    output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

And here are the two filebeat

the one local to the ELK server

output.logstash:
hosts: ["localhost:5044"]

the remote one

output.logstash:
hosts: ["<ELKIP>:5044"]

All the rest was not modified and the local filebeat works.

I can also ping and telnet to 5044 to ELK server from remote server.

pierhugues · January 11, 2019, 2:07am

@Wellguys Is there any errors in the Logstash logs?

Wellguys · January 11, 2019, 7:28am

No problem from Logstash. From its perspective there is just one filebeat sending him data.

Wellguys · January 11, 2019, 11:59am

I started all over again and found the problem. I had to disable SSL for logstash or remote filebeat could not access without the correct certificate.

system · February 8, 2019, 11:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not able to send logs to logstash (Filebeat fails to connect logstash) Beats filebeat	3	1232	February 15, 2019
Configuring filebeat to send specified logs to E.L.K server's logstash HELP! Beats filebeat	16	12842	July 5, 2017
Unable to connect local filebeat to distant logstash Beats filebeat	5	721	July 13, 2020
Filebeat not fowarding to Logstash Beats filebeat	23	3562	March 9, 2017
Filebeat failed to connect to logstash Beats	2	1098	September 21, 2018

Remote Filebeat can't send logs to Logstash

Related topics