Sending log from filebeat to logstash error: Failed to publish events caused by: lumberjack protocol error

Sam · October 20, 2019, 3:15am

Halo guys
I'm new with ELK Stack
I try to send IIS log from FileBeat to Logstash and further but it doesn't work. I get an error Failed to publish events caused by: lumberjack protocol error when start FileBeat (Logstash is running)

Here all my config

filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - e:\\elk\\iislog\\*
  exclude_lines: ['#']
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
output.logstash:
  hosts: ["localhost:5044"]

logstash.yml

 node.name: main
 pipeline.id: main
 pipeline.workers: 2
 http.host: "localhost"
 http.port: 5044

logstash.iis.conf

input {  
   beats {
        port => "5044"
    }
}

output {

}

iis.yml

- module: iis
  # Access logs
  access:
    enabled: true
    var.paths: 
        - e:\elk\iislog\*.log
  error:
    enabled: true

Logstash screen stand at line Successfully started Logstash API endpoint {:port=>5044} All stack are version 7.4.0

Can you guys show me what am i doing wrong
Thanks

Christian_Dahlqvist · October 20, 2019, 6:54am

Change this monitoring port to the default 9600 as it clashes with the beats input. You can not have two different things bind to the same port.

Sam · October 20, 2019, 12:30pm

Thanks for your help, i change the config like you said and now it throws new error
dial tcp [::1]:5044: connectex: No connection could be made because the target machine actively refused it.
Can you help me ?

Christian_Dahlqvist · October 20, 2019, 12:56pm

I assume you did not change the beats plugin config?

Sam · October 20, 2019, 1:02pm

I disabled iis module
Now my filebeat.yml is

filebeat.inputs:

- type: log
  enabled: true

  paths:
    - e:\elk\iislog\*
  exclude_lines: ['#']
output.logstash:
  hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["E:\\elk\\cert\\server.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "E:\\elk\\cert\\server.crt"

  # Client Certificate Key
  ssl.key: "E:\\elk\\cert\\server.key"

and the logstash.iis.conf is

input {  
   beats {
        port => 5044
	ssl => true
	ssl_certificate_authorities => "E:\elk\cert\server.crt"
	ssl_certificate => "E:\elk\cert\server.crt"
	ssl_key => "E:\elk\cert\server.key"
	ssl_verify_mode => "peer"
	}
}

output {
	stdout { 
	     
	}
}

and the logstash.yml unchange

start logstash
logstash -f logstash.iis.conf
start filebeat
filebeat -e -c filebeat.yml

Sam · October 20, 2019, 2:35pm

My bad
I using the config file in one folder and edit file in other location

system · November 17, 2019, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting " ERR Failed to publish events caused by: lumberjack protocol error" in Filebeat Beats filebeat	5	11514	December 5, 2017
[Filebeat IIS] lumberjack protocol error Beats filebeat	3	473	May 14, 2019
Filebeat throws error while sending the logs to logstash Beats filebeat	1	1061	February 6, 2018
Logstash/Beats Issue - Logs not being published Beats	4	1112	November 22, 2016
Filebeat to logstash - connectivity issue Beats filebeat	4	536	October 17, 2019

Sending log from filebeat to logstash error: Failed to publish events caused by: lumberjack protocol error

Related Topics