TOPBEAT > WINDOWS : Topbeat starting but showing error in log


(Krushnat Khawale) #1

Hi, I am using Topbeat for monitoring. I've downloaded and followed process as per instructions.
I am using WINDOWS and I want to post my logs to a the computer in my network(10.77.240116)

After running topbeat powershell as a service, it runs with no successful message. I saw following message in C:/ProgramData/topbeat/Logs as,

2016-03-15T18:01:14+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid

Any probable reason?

NOTE: We are inside firewall of company. Ping from my machine to above IP is successful.


(Magnus Bäck) #2

If you post your configuration formatted as code it might be easier to help.


(Krushnat Khawale) #3

Hi @magnusbaeck

Here is the configuration.

input:
  period: 10

  procs: [".*"]

  stats:
    system: true

    proc: true

    filesystem: true

    cpu_per_core: false



output:

  elasticsearch:
    hosts: ["10.77.240.116:9200"]

    index: "krtopbeat"



  console:
    pretty: false


shipper:
logging:

  files:
    rotateeverybytes: 10485760 # = 10MB

We are using default configuration, sending you by removing comments.


(Magnus Bäck) #4

I would assume it's the console output that's causing this. Not sure why Topbeat attempts to open /dev/stdout on Windows (or the error message is bad).


(Krushnat Khawale) #5

Actually we ain't even seeing any message on console, so I enable it. Shall I try without console as output.?


(Magnus Bäck) #6

When debugging why something doesn't work it's always a good idea to disable features to see what might be behind the problems.


(Krushnat Khawale) #7

True. Any reason why it is happening? or Solution?


(Krushnat Khawale) #8

Hi @magnusbaeck,
What do you mean by " it's the console output that's causing this"?
Are you pointing to,

console:
    pretty: false

?


(Krushnat Khawale) #9

Yeah @magnusbaeck,

You are right. The "error message is bad" I tried with localhost by putting loggin level info, worked.

Logfile says,

2016-03-16T11:48:47+05:30 INFO GeoIP disabled: No paths were set under output.geoip.paths
2016-03-16T11:48:47+05:30 INFO Activated console as output plugin.
2016-03-16T11:48:47+05:30 INFO Activated elasticsearch as output plugin.
2016-03-16T11:48:47+05:30 INFO Publisher name: DIN16000704
2016-03-16T11:48:47+05:30 INFO Flush Interval set to: 1s
2016-03-16T11:48:47+05:30 INFO Max Bulk Size set to: 2048
2016-03-16T11:48:47+05:30 INFO Flush Interval set to: 1s
2016-03-16T11:48:47+05:30 INFO Max Bulk Size set to: 50
2016-03-16T11:48:47+05:30 INFO Init Beat: topbeat; Version: 1.1.1
2016-03-16T11:48:47+05:30 INFO topbeat sucessfully setup. Start running.
2016-03-16T11:48:58+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:48:58+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:08+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:08+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:18+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:18+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:28+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:28+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:38+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:38+05:30 INFO Error bulk publishing events: write /dev/stdout: The handle is invalid.
2016-03-16T11:49:44+05:30 INFO Cleaning up topbeat before shutting down.

Not getting whats wrong. Any Idea?

Tried with another computer in network, loglevel = info

2016-03-16T11:58:25+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:25+05:30 INFO send fail
2016-03-16T11:58:25+05:30 INFO backoff retry: 1s
2016-03-16T11:58:27+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:27+05:30 INFO send fail
2016-03-16T11:58:27+05:30 INFO backoff retry: 2s
2016-03-16T11:58:30+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.
2016-03-16T11:58:30+05:30 INFO send fail
2016-03-16T11:58:30+05:30 INFO backoff retry: 4s
2016-03-16T11:58:35+05:30 ERR Error sending/writing event: write /dev/stdout: The handle is invalid.

(Krushnat Khawale) #10

@magnusbaeck ,Team, is there a way to force or cheat around topbeat to push meaning problem or log.

has any body pushed topbeat to remote elasticsearch with or without proxy?

We can always go around change network policy but we need to know what ??

Regards, Chirag Shah


(Magnus Bäck) #11

2016-03-16T11:58:30+05:30 INFO Connecting error publishing events (retrying): Head http://10.76.170.79:9200: dial tcp 10.76.170.79:9200: connectex: No connection could be made because the target machine actively refused it.

"Connection refused" in other words. Is ES listening on 10.76.170.79:9200 in the first place? If yes, is there a firewall blocking the access?


(Krushnat Khawale) #12

@magnusbaeck Yes, we are inside a firewall. Any proxy settings??


(Andrew Kroh) #14

The Elasticsearch output supports using an HTTP proxy. You configure the proxy using the proxy_url option.


(Krushnat Khawale) #15

Hi @andrewkroh, Thanks for you time.

Yeah, I saw that in ES configuration, I'm not a networking guy honestly and I don't have any
that what should be the value of 'proxy_url'?


(Andrew Kroh) #16

The value can be http://host:port or http://username:password@host:port if you need to do basic auth. host is the IP address or hostname of your proxy server and port is the port number that the proxy server is listening on.

So if I had a squid server on my network at 192.168.1.100 I would write:

output:
  elasticsearch:
    hosts: ["1.2.3.4:9200"]
    proxy_url: http://192.168.1.100:3128

(system) #17