it's the same for all the logs.
some times it goes away, but usually I face the issue and nothing helps. Nothing suspicious in logs:
[2018-03-16T12:40:54,572][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Received a new payload
[2018-03-16T12:40:54,573][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Sending a new message for the listener, sequence: 1
[2018-03-16T12:40:54,574][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Received a new payload
[2018-03-16T12:40:54,574][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Sending a new message for the listener, sequence: 1
[2018-03-16T12:40:54,579][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Sending a new message for the listener, sequence: 2
[2018-03-16T12:40:54,580][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Sending a new message for the listener, sequence: 3
[2018-03-16T12:40:54,581][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Received a new payload
[2018-03-16T12:40:54,581][DEBUG][org.logstash.beats.BeatsHandler] [local: 10.0.1.4:5044, remote: 31.44.80.66:63210] Sending a new message for the listener, sequence: 1
[2018-03-16T12:40:54,682][DEBUG][logstash.pipeline ] filter received {"event"=>{"beat"=>{"name"=>"evg-ras-pa-1", "version"=>"6.2.2", "hostname"=>"evg-ras-pa-1"}, "prospector"=>{"type"=>"log"}, "host"=>"evg-ras-pa-1", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2018-03-16T12:40:33.725Z, "source"=>"c:\\ProgramData\\Parallels\\RASLogs\\controller.log", "@version"=>"1", "offset"=>5137685, "message"=>"[I 0E/00000000/T00001478] Fri Mar 16 15:40:30 2018 - Session login for user: rasuser800@testras, from IP: 10.225.9.49 was successful."}}
[2018-03-16T12:40:54,683][DEBUG][logstash.pipeline ] filter received {"event"=>{"beat"=>{"name"=>"evg-ras-pa-1", "version"=>"6.2.2", "hostname"=>"evg-ras-pa-1"}, "prospector"=>{"type"=>"log"}, "host"=>"evg-ras-pa-1", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2018-03-16T12:40:33.725Z, "source"=>"c:\\ProgramData\\Parallels\\RASLogs\\controller.log", "@version"=>"1", "offset"=>5138421, "message"=>"[I 06/0000000A/T00001478] Fri Mar 16 15:40:30 2018 - User rasuser800@testras, Client html5-ef73545a, Address 10.225.9.49 wants to open \"#5\" Application, Server EVG-WS2016-3:3389 is available"}}
[2018-03-16T12:40:54,684][DEBUG][logstash.pipeline ] filter received {"event"=>{"beat"=>{"name"=>"evg-ras-pa-1", "hostname"=>"evg-ras-pa-1", "version"=>"6.2.2"}, "prospector"=>{"type"=>"log"}, "host"=>"evg-ras-pa-1", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2018-03-16T12:40:41.772Z, "source"=>"c:\\ProgramData\\Parallels\\RASLogs\\controller.log", "@version"=>"1", "offset"=>5138961, "message"=>"[I 0E/00000000/T000015F0] Fri Mar 16 15:40:40 2018 - Session login for user: rasuser800@testras, from IP: 10.225.9.49 was successful."}}
[2018-03-16T12:40:54,684][DEBUG][logstash.filters.grok ] Running grok filter {:event=>#<LogStash::Event:0x631cf0c7>}
[2018-03-16T12:40:54,686][DEBUG][logstash.pipeline ] filter received {"event"=>{"beat"=>{"name"=>"evg-ras-pa-1", "hostname"=>"evg-ras-pa-1", "version"=>"6.2.2"}, "prospector"=>{"type"=>"log"}, "host"=>"evg-ras-pa-1", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2018-03-16T12:40:33.725Z, "source"=>"c:\\ProgramData\\Parallels\\RASLogs\\controller.log", "@version"=>"1", "offset"=>5138037, "message"=>"[I 06/00000034/T00001478] Fri Mar 16 15:40:30 2018 - Resource LB User 'rasuser800' Server 'EVG-WS2016-3' Session state: 6 - Reconnected to an Active Session (Username Match)\r"}}
[2018-03-16T12:40:54,687][DEBUG][logstash.pipeline ] filter received {"event"=>{"beat"=>{"name"=>"evg-ras-pa-1", "hostname"=>"evg-ras-pa-1", "version"=>"6.2.2"}, "prospector"=>{"type"=>"log"}, "host"=>"evg-ras-pa-1", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2018-03-16T12:40:40.745Z, "source"=>"c:\\ProgramData\\Parallels\\RASLogs\\controller.log", "@version"=>"1", "offset"=>5138691, "message"=>"[I 0E/00000000/T00000EAC] Fri Mar 16 15:40:40 2018 - Session login for user: rasuser800@testras, from IP: 10.225.9.49 was successful."}}
[2018-03-16T12:40:54,689][DEBUG][logstash.filters.grok ] Event now: {:event=>#<LogStash::Event:0x631cf0c7>}
and this is what I see in filebeat log:
|2018-03-16T15:40:53.955+0300|ERROR|logstash/async.go:235|Failed to publish events caused by: read tcp 10.225.9.49:63171->52.166.161.25:5044: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.|
|---|---|---|---|
|2018-03-16T15:40:53.955+0300|ERROR|logstash/async.go:235|Failed to publish events caused by: read tcp 10.225.9.49:63171->52.166.161.25:5044: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.|
|2018-03-16T15:40:53.955+0300|ERROR|logstash/async.go:235|Failed to publish events caused by: read tcp 10.225.9.49:63171->52.166.161.25:5044: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.|
|2018-03-16T15:40:53.955+0300|ERROR|logstash/async.go:235|Failed to publish events caused by: client is not connected|
|2018-03-16T15:40:54.958+0300|ERROR|pipeline/output.go:92|Failed to publish events: client is not connected|