Sending log from filebeat to logstash error: Failed to publish events caused by: lumberjack protocol error

Halo guys
I'm new with ELK Stack
I try to send IIS log from FileBeat to Logstash and further but it doesn't work. I get an error Failed to publish events caused by: lumberjack protocol error when start FileBeat (Logstash is running)

Here all my config

filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - e:\\elk\\iislog\\*
  exclude_lines: ['#']
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
output.logstash:
  hosts: ["localhost:5044"]

logstash.yml

 node.name: main
 pipeline.id: main
 pipeline.workers: 2
 http.host: "localhost"
 http.port: 5044

logstash.iis.conf

input {  
   beats {
        port => "5044"
    }
}

output {

}

iis.yml

- module: iis
  # Access logs
  access:
    enabled: true
    var.paths: 
        - e:\elk\iislog\*.log
  error:
    enabled: true

Logstash screen stand at line Successfully started Logstash API endpoint {:port=>5044} All stack are version 7.4.0

Can you guys show me what am i doing wrong
Thanks

Change this monitoring port to the default 9600 as it clashes with the beats input. You can not have two different things bind to the same port.

Thanks for your help, i change the config like you said and now it throws new error
dial tcp [::1]:5044: connectex: No connection could be made because the target machine actively refused it.
Can you help me ?

I assume you did not change the beats plugin config?

I disabled iis module
Now my filebeat.yml is

filebeat.inputs:

- type: log
  enabled: true

  paths:
    - e:\elk\iislog\*
  exclude_lines: ['#']
output.logstash:
  hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["E:\\elk\\cert\\server.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "E:\\elk\\cert\\server.crt"

  # Client Certificate Key
  ssl.key: "E:\\elk\\cert\\server.key"

and the logstash.iis.conf is

input {  
   beats {
        port => 5044
	ssl => true
	ssl_certificate_authorities => "E:\elk\cert\server.crt"
	ssl_certificate => "E:\elk\cert\server.crt"
	ssl_key => "E:\elk\cert\server.key"
	ssl_verify_mode => "peer"
	}
}

output {
	stdout { 
	     
	}
}

and the logstash.yml unchange

start logstash
logstash -f logstash.iis.conf
start filebeat
filebeat -e -c filebeat.yml

My bad
I using the config file in one folder and edit file in other location

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.