Sam
(Vũ Hoàng Sơn)
October 20, 2019, 3:15am
1
Halo guys
I'm new with ELK Stack
I try to send IIS log from FileBeat to Logstash and further but it doesn't work. I get an error Failed to publish events caused by: lumberjack protocol error when start FileBeat (Logstash is running)
Here all my config
filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- e:\\elk\\iislog\\*
exclude_lines: ['#']
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
output.logstash:
hosts: ["localhost:5044"]
logstash.yml
node.name: main
pipeline.id: main
pipeline.workers: 2
http.host: "localhost"
http.port: 5044
logstash.iis.conf
input {
beats {
port => "5044"
}
}
output {
}
iis.yml
- module: iis
# Access logs
access:
enabled: true
var.paths:
- e:\elk\iislog\*.log
error:
enabled: true
Logstash screen stand at line Successfully started Logstash API endpoint {:port=>5044} All stack are version 7.4.0
Can you guys show me what am i doing wrong
Thanks
Change this monitoring port to the default 9600 as it clashes with the beats input. You can not have two different things bind to the same port.
Sam
(Vũ Hoàng Sơn)
October 20, 2019, 12:30pm
3
Thanks for your help, i change the config like you said and now it throws new error
dial tcp [::1]:5044: connectex: No connection could be made because the target machine actively refused it.
Can you help me ?
I assume you did not change the beats plugin config?
Sam
(Vũ Hoàng Sơn)
October 20, 2019, 1:02pm
5
I disabled iis module
Now my filebeat.yml is
filebeat.inputs:
- type: log
enabled: true
paths:
- e:\elk\iislog\*
exclude_lines: ['#']
output.logstash:
hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["E:\\elk\\cert\\server.crt"]
# Certificate for SSL client authentication
ssl.certificate: "E:\\elk\\cert\\server.crt"
# Client Certificate Key
ssl.key: "E:\\elk\\cert\\server.key"
and the logstash.iis.conf is
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => "E:\elk\cert\server.crt"
ssl_certificate => "E:\elk\cert\server.crt"
ssl_key => "E:\elk\cert\server.key"
ssl_verify_mode => "peer"
}
}
output {
stdout {
}
}
and the logstash.yml unchange
start logstash
logstash -f logstash.iis.conf
start filebeat
filebeat -e -c filebeat.yml
Sam
(Vũ Hoàng Sơn)
October 20, 2019, 2:35pm
6
My bad
I using the config file in one folder and edit file in other location
system
(system)
Closed
November 17, 2019, 2:35pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.