Failed to connect to backoff(async(tcp://ip:5044)): dial tcp ip:5044: i/o timeout

3
votes

Filebeat is running on Machine B which read logs and push to ELK logstash on Machine A.

But in the Machine B filebeat log, it shows the error i/o timeout

2019-08-24T12:13:10.065+0800    ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://example.com:5044)): dial tcp xx.xx.xx.xx:5044: i/o timeout 
2019-08-24T12:13:10.065+0800    INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://example.com:5044)) with 1 reconnect attempt(s)

I've check the logstash on Machine A which running well, can listening on 0 0.0.0.0:5044

Here is the logstash log

[INFO ] 2019-08-24 12:09:35.217 [[main]-pipeline-manager] beats - Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}

And here is netstat output,

$ sudo netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5044            0.0.0.0:*               LISTEN      20668/java

I also check the firewall on Machine A is closed.

$ firewall-cmd --list-all
FirewallD is not running

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

I also use telnet to connect Machine A, But I get this,

$ telnet example.com 5044
Trying xx.xx.xx.xx...
telnet: connect to address xx.xx.xx.xx: Connection timed out

I run the filebeat with same config on Machine A(local) to check it the config for filebeat on Machine B(remote) is wrong, it works well.

2019-08-24T14:17:35.195+0800    INFO    pipeline/output.go:95   Connecting to backoff(async(tcp://localhost:5044))
2019-08-24T14:17:35.198+0800    INFO    pipeline/output.go:105  Connection to backoff(async(tcp://localhost:5044)) established
1
centoslogstashfirewallfilebeatelk
Do you have SSL/TLS enabled and are the credentials/certificates configured correct in the filebeat.yml?apt-get_install_skill
I've tryed enable or disable SSL/TLS, both have abouve issue.LF00
@apt-get_install_skill It's caused by the VPS provider. They ban the port.LF00

1 Answers

3
votes

At last I find it's caused by the VPS Provider aliyun, it only open some common port such 22, 80,443.

I need to login to aliyun VPS management page, and open 5044 to make VPS Provider bypass the 5044 port.

*Note: * Attachment: some other issues I encountered when config filebeat with ELK.

**Issue 1: ** Failed to connect to backoff(async(tcp://ip:5044)): dial tcp ip:5044: connect: connection refused

2019-08-26T10:25:41.955+0800    ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://example.com:5044)): dial tcp xx.xx.xx.xx:5044: connect: connection refused
2019-08-26T10:25:41.955+0800    INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://example:5044)) with 2 reconnect attempt(s)

Issue 2: Failed to publish events caused by: write tcp ip:46890->ip:5044: write: connection reset by peer

2019-08-26T10:28:32.274+0800    ERROR   logstash/async.go:256   Failed to publish events caused by: write tcp xx.xx.xx.xx:46890->xx.xx.xx.xx:5044: write: connection reset by peer
2019-08-26T10:28:33.311+0800    ERROR   pipeline/output.go:121  Failed to publish events: write tcp xx.xx.xx.xx:46890->xx.xx.xx.xx:5044: write: connection reset by peer

Issue 3: Filebeat error: lumberjack protocol error and Logstash error: OPENSSL_internal:WRONG_VERSION_NUMBER

Filebeat log error,

2019-08-26T08:49:09.505+0800    INFO    pipeline/output.go:95   Connecting to backoff(async(tcp://example.com:5044))
2019-08-26T08:49:09.588+0800    INFO    pipeline/output.go:105  Connection to backoff(async(tcp://example.com:5044)) established
2019-08-26T08:49:09.605+0800    ERROR   logstash/async.go:256   Failed to publish events caused by: lumberjack protocol error
2019-08-26T08:49:09.606+0800    ERROR   logstash/async.go:256   Failed to publish events caused by: client is not connected

Logstash log,

[INFO ] 2019-08-26 08:49:29.444 [defaultEventExecutorGroup-4-2] BeatsHandler - [local: 0.0.0.0:5044, remote: undefined] Handling exception: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[WARN ] 2019-08-26 08:49:29.445 [nioEventLoopGroup-2-7] DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
        ...

All the three issues are caused by miss configuration, here is the workable config,

logstash version,

/usr/share/logstash/bin/logstash -V
logstash 7.3.1

filebeat version,

/usr/share/filebeat/bin/filebeat version
filebeat version 7.3.1 (amd64), libbeat 7.3.1 [a4be71b90ce3e3b8213b616adfcd9e455513da45 built 2019-08-19 19:30:50 +0000 UTC]

logstash conf file /etc/logstash/conf.d/beat.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    ssl_verify_mode => "peer"
  }
}

output {
  elasticsearch {
    hosts => "http://127.0.0.1:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

filebeat conf file /etc/filebeat/filebeat.yml

#=========================== Filebeat inputs =============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /data/error_logs/Log_error_201908


#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/pki/tls/certs/logstash-forwarder.crt"

  # Client Certificate Key
  ssl.key: "/etc/pki/tls/private/logstash-forwarder.key"