Topbeat to Elasticsearch - connection refused

Elastic Stack Beats
1

Hey, i have the following setup:

(machine1) -> (machine2)
(Filebeat) -> (Logstash->ElasticSearch)
(Topbeat) -> (ElasticSearch)

Filebeat, logstash, elasticsearch setup is working fine. However, topbeat is not working properly:

  • Elasticsearch doesnt receive any data from topbeat
  • Topbeat doesnt generate any registry or log file
  • Running topbeat with -v or -d "*" flags just puts the command line waiting and the only way to fix is to restart the ssh connection

Here is the topbeat yml file:

input:
  # In seconds, defines how often to read server statistics
  period: 10

  # Regular expression to match the processes that are monitored
  # By default, all the processes are monitored
  procs: [".*"]

  # Statistics to collect (all enabled by default)
  stats:
    # per system statistics, by default is true
    system: true

    # per process statistics, by default is true
    process: true

    # file system information, by default is true
    filesystem: true

    # cpu usage per core, by default is false
    cpu_per_core: true
output:

  ### Elasticsearch as output
  elasticsearch:
    # Array of hosts to connect to.
    # Scheme and port can be left out and will be set to the default (http and 9200)
    # In case you specify and additional path, the scheme is required: http://localhost:9200/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
    hosts: ["ptlisvlsdn033.dci.co-int.net:9200"]

    # Optional protocol and basic auth credentials.
    #protocol: "https"
    #username: "admin"
    #password: "s3cr3t"

    # Number of workers per Elasticsearch host.
    #worker: 1

    # Optional index name. The default is "topbeat" and generates
    # [topbeat-]YYYY.MM.DD keys.
    index: "topbeat"

    # A template is used to set the mapping in Elasticsearch
    # By default template loading is disabled and no template is loaded.
    # These settings can be adjusted to load your own template or overwrite existing ones
    template:

      # Template name. By default the template name is topbeat.
      name: "topbeat"

      # Path to template file
      path: "/etc/topbeat/topbeat.template.json"

      # Overwrite existing template
      #overwrite: false

One time that the -v flag actually worked showed something like Topbeat cant connect to ptlisvlsdn033.dci.co-int.net. But that shouldnt be a problem as filebeat can.

2 
# ./topbeat -configtest -e
2016/11/28 13:41:56.792711 output.go:184: ERR Could not load template: Template could not be loaded. Error: Put http://ptlisvlsdn033.dci.co-int.net:9200/_template/topbeat: dial tcp 10.46.161.212:9200: getsockopt: connection refused

so it seems the problem is that it cant load the template, anyone knows how to fix this?
It looks like a connection problem, i loaded the template manually and still gives this error.

4

solved the connection problem. It looks like ES was refusing the connection. Had to change elasticsearch.yml to bind to 0.0.0.0

The index was created, can recognize it in kibana but no data is there even though topbeat is running

Again, running "./topbeat -v -c /etc/topbeat/topbeat.yml" produces no results, just command line hangin

UPDATE: fixed, everything working.

5

Use -e if you want the output to go to stderr. Otherwise the output goes the log file or syslog depending on what's in your config file.

1 Like
6

This topic was automatically closed after 21 days. New replies are no longer allowed.