TOPBEAT > WINDOWS : Topbeat starting but showing error in log

Hi, I am using Topbeat for monitoring. I've downloaded and followed process as per instructions.
I am using WINDOWS and I want to post my logs to a the computer in my network(10.77.240116)

After running topbeat powershell as a service, it runs with no successful message. I saw following message in C:/ProgramData/topbeat/Logs as,

2016-03-15T18:01:14+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid

Any probable reason?

NOTE: We are inside firewall of company. Ping from my machine to above IP is successful.

If you post your configuration formatted as code it might be easier to help.

Hi @magnusbaeck

Here is the configuration.

input:
  period: 10

  procs: [".*"]

  stats:
    system: true

    proc: true

    filesystem: true

    cpu_per_core: false



output:

  elasticsearch:
    hosts: ["10.77.240.116:9200"]

    index: "krtopbeat"



  console:
    pretty: false


shipper:
logging:

  files:
    rotateeverybytes: 10485760 # = 10MB

We are using default configuration, sending you by removing comments.

I would assume it's the console output that's causing this. Not sure why Topbeat attempts to open /dev/stdout on Windows (or the error message is bad).

Actually we ain't even seeing any message on console, so I enable it. Shall I try without console as output.?

When debugging why something doesn't work it's always a good idea to disable features to see what might be behind the problems.

True. Any reason why it is happening? or Solution?

Hi @magnusbaeck,
What do you mean by " it's the console output that's causing this"?
Are you pointing to,

console:
    pretty: false

?

Yeah @magnusbaeck,

You are right. The "error message is bad" I tried with localhost by putting loggin level info, worked.

Logfile says,

2016-03-16T11:48:47+05:30 INFO GeoIP disabled: No paths were set under output.geoip.paths
2016-03-16T11:48:47+05:30 INFO Activated console as output plugin.
2016-03-16T11:48:47+05:30 INFO Activated elasticsearch as output plugin.
2016-03-16T11:48:47+05:30 INFO Publisher name: DIN16000704
2016-03-16T11:48:47+05:30 INFO Flush Interval set to: 1s
2016-03-16T11:48:47+05:30 INFO Max Bulk Size set to: 2048
2016-03-16T11:48:47+05:30 INFO Flush Interval set to: 1s
2016-03-16T11:48:47+05:30 INFO Max Bulk Size set to: 50
2016-03-16T11:48:47+05:30 INFO Init Beat: topbeat; Version: 1.1.1
2016-03-16T11:48:47+05:30 INFO topbeat sucessfully setup. Start running.
2016-03-16T11:48:58+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:48:58+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:08+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:08+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:18+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:18+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:28+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:28+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:38+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:38+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:44+05:30 INFO Cleaning up topbeat before shutting down.

Not getting whats wrong. Any Idea?

Tried with another computer in network, loglevel = info

2016-03-16T11:58:25+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:25+05:30 INFO send fail
2016-03-16T11:58:25+05:30 INFO backoff retry: 1s
2016-03-16T11:58:27+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:27+05:30 INFO send fail
2016-03-16T11:58:27+05:30 INFO backoff retry: 2s
2016-03-16T11:58:30+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:30+05:30 INFO send fail
2016-03-16T11:58:30+05:30 INFO backoff retry: 4s
2016-03-16T11:58:35+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.

@magnusbaeck ,Team, is there a way to force or cheat around topbeat to push meaning problem or log.

has any body pushed topbeat to remote elasticsearch with or without proxy?

We can always go around change network policy but we need to know what ??

Regards, Chirag Shah

2016-03-16T11:58:30+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.

"Connection refused" in other words. Is ES listening on 10.76.170.79:9200 in the first place? If yes, is there a firewall blocking the access?

@magnusbaeck Yes, we are inside a firewall. Any proxy settings??

The Elasticsearch output supports using an HTTP proxy. You configure the proxy using the proxy_url option.

Hi @andrewkroh, Thanks for you time.

Yeah, I saw that in ES configuration, I'm not a networking guy honestly and I don't have any
that what should be the value of 'proxy_url'?

The value can be http://host:port or http://username:password@host:port if you need to do basic auth. host is the IP address or hostname of your proxy server and port is the port number that the proxy server is listening on.

So if I had a squid server on my network at 192.168.1.100 I would write:

output:
  elasticsearch:
    hosts: ["1.2.3.4:9200"]
    proxy_url: http://192.168.1.100:3128