When I install x-pack, filebeat can not connect to Logstash

(dog) #1

Before I installed x-pack, everything worked well. When I installed x-pack, I received a 401 error and I configured the user according to the official document. But my filebeat can not connect to logstash.
Logstash error message: [WARN] [logstash.agent] crisis pipeline {: id => ". Monitoring-logstash"}
Filebeat error message:ERR Connecting error publishing events (retrying): dial tcp
44: connectex: No connection could be made because the target machine actively refused it.

This is my Logstash configuration file:
input {
beats {
port => "5043"
ssl => false
filter {
if [message] =~ "^#" {
drop {}
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:sitename} %{IPORHOST:serverip} %{WORD:method} %{URIPATH:uri-stem} %{NOTSPACE:uri-query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"}
date {
locale => "en"
match => ["log_timestamp","YYYY-MM-dd HH:mm:ss"]
timezone => "Etc/UTC"
remove_field => ["log_timestamp"]
mutate {
remove_field => ["message","tags","input_type","beat"]

output {
elasticsearch {
hosts => [ "localhost:9200" ]
document_type => "iis_log"
index => "dog-%{+YYYY.MM.dd}"
user => logstash-index
password => password

This is my filebeat configuration file

  • input_type: log
    • C:\inetpub\logs\LogFiles\W3SVC*
      document_type: iis_log
      hosts: [""]
      bulk_max_size: 1024

Because i am copying, so their format is like wrong. In the test environment, the configuration file format is correct

(Steffen Siering) #2

Looks more like a logstash problem. It's logstash refusing to accept a new connection from beats.

401 in logstash or filebeat? filebeat -> logstash is not HTTP.

(dog) #3

thinks,I solved these problems, the problem is because the logstash filter in the field less one.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.