Unable to get logstash guide example working

samba1 · February 6, 2016, 4:24am

I'm following along with this: https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html

And was on the second part.

I decided to not do twitter to avoid signing up for a dev key and giving them my phone, and instead am just doing the beats part.

First I tried without SSL, and was getting the error:

Beats Input: Remote connection closed {:peer=>"127.0.0.1:58326", :exception=>#<Lumberjack::Beats::Connection::ConnectionClosed: Lumberjack::Beats::Connection::ConnectionClosed wrapping: Lumberjack::Beats::Parser::UnsupportedProtocol, unsupported protocol 72>, :level=>:warn}

Then I added SSL stuff, and now get

The error reported is: 
  No message available

For reference, my logstash config is:

input {
    beats {
        port => "5043"
    }
}
output {
    elasticsearch {
    }
    file {
        path => "/tmp/logstash-out"
    }
}

and my filebeat.yml is

filebeat:
  prospectors:
    -
      paths:
        - "/var/log/*.log"
      fields:
        type: syslog
output:
  elasticsearch:
    enabled: true
    hosts: ["http://localhost:5043"]

I'm just trying to get something going to see it working.

warkolm · February 6, 2016, 4:28am

You have beats sending directly to ES, not to LS, and on a bad port.
Maybe you intended to use the Logstash output as mentioned here.

samba1 · February 6, 2016, 3:31pm

I thought was odd, but I was following the guide (which I mis-linked originally, it's https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html)

I feel like I tried that, as well, but I will try again.

samba1 · February 7, 2016, 4:44pm

Setting it to localhost:5044 gives a "connection refused", even though logstash is indeed running.

That's because logstash does indeed run on port 5043, so the "elasticsearch" in the thing I linked is right, just mislabeled, I think.

Is there accurate documentation on connecting filebeats and logstash anywhere?

warkolm · February 9, 2016, 1:18am

What's your config look like now?

samba1 · February 9, 2016, 11:57pm

I've tried reducing it to just this:

input {
    beats {
        port => "5043"
    }
}
output {
    elasticsearch {
    }
    file {
        path => "/tmp/logstash-out"
    }
}

warkolm · February 10, 2016, 12:18am

What about filebeat?

samba1 · February 10, 2016, 10:15pm

I've tried a number of setups, here's one:

filebeat:
  prospectors:
    -
      paths:
        - "/var/log/foo.log"
      input_type: log
output:
  elasticsearch:
    hosts: ["localhost:9200"]
  logstash:
    hosts: ["localhost:5043"]

Topic		Replies	Views
Filebeat no connection could be made because the target machine actively refused it Logstash	10	1168	June 4, 2021
Filebeat throws error while sending the logs to logstash Beats filebeat	1	1061	February 6, 2018
ELK + Filebeat Elasticsearch	8	2294	April 5, 2018
Configure Filebeat for All Logs Beats filebeat	35	15445	July 5, 2017
Logs are not being pushed from beats to logstash Beats	6	2662	August 26, 2016

Unable to get logstash guide example working

Related Topics