Unable to get logstash guide example working

samba1 · February 6, 2016, 4:24am

I'm following along with this: https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html

And was on the second part.

I decided to not do twitter to avoid signing up for a dev key and giving them my phone, and instead am just doing the beats part.

First I tried without SSL, and was getting the error:

Beats Input: Remote connection closed {:peer=>"127.0.0.1:58326", :exception=>#<Lumberjack::Beats::Connection::ConnectionClosed: Lumberjack::Beats::Connection::ConnectionClosed wrapping: Lumberjack::Beats::Parser::UnsupportedProtocol, unsupported protocol 72>, :level=>:warn}

Then I added SSL stuff, and now get

The error reported is: 
  No message available

For reference, my logstash config is:

input {
    beats {
        port => "5043"
    }
}
output {
    elasticsearch {
    }
    file {
        path => "/tmp/logstash-out"
    }
}

and my filebeat.yml is

filebeat:
  prospectors:
    -
      paths:
        - "/var/log/*.log"
      fields:
        type: syslog
output:
  elasticsearch:
    enabled: true
    hosts: ["http://localhost:5043"]

I'm just trying to get something going to see it working.

warkolm · February 6, 2016, 4:28am

You have beats sending directly to ES, not to LS, and on a bad port.
Maybe you intended to use the Logstash output as mentioned here.

samba1 · February 6, 2016, 3:31pm

I thought was odd, but I was following the guide (which I mis-linked originally, it's https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html)

I feel like I tried that, as well, but I will try again.

samba1 · February 7, 2016, 4:44pm

Setting it to localhost:5044 gives a "connection refused", even though logstash is indeed running.

That's because logstash does indeed run on port 5043, so the "elasticsearch" in the thing I linked is right, just mislabeled, I think.

Is there accurate documentation on connecting filebeats and logstash anywhere?

warkolm · February 9, 2016, 1:18am

What's your config look like now?

samba1 · February 9, 2016, 11:57pm

I've tried reducing it to just this:

input {
    beats {
        port => "5043"
    }
}
output {
    elasticsearch {
    }
    file {
        path => "/tmp/logstash-out"
    }
}

warkolm · February 10, 2016, 12:18am

What about filebeat?

samba1 · February 10, 2016, 10:15pm

I've tried a number of setups, here's one:

filebeat:
  prospectors:
    -
      paths:
        - "/var/log/foo.log"
      input_type: log
output:
  elasticsearch:
    hosts: ["localhost:9200"]
  logstash:
    hosts: ["localhost:5043"]

Topic		Replies	Views
Logstash Installation Logstash	3	671	July 6, 2017
Filebeat no connection could be made because the target machine actively refused it Logstash	10	1177	June 4, 2021
Filebeat could not connect to logstash on SSL Beats filebeat	6	3854	November 30, 2018
Logstash beats: 69/71 error Logstash	4	6945	December 29, 2021
ERR SSL client failed to connect with: Logstash	12	2515	July 6, 2017

Unable to get logstash guide example working

Related topics