why is filebeat unable to connect to logstash

1
votes

I am trying to send a log4net log to logstash to get parsed and then end up in elasticsearch. I have added the port to the windows firewall security setting and allow all connection, both to 5044 and 9600.

In the filebeat log, i get this error

pipeline/output.go:100  Failed to connect to backoff(async(tcp://[http://hostname:5044]:5044)): lookup http://hostname:5044: no such host

Filebeat.yml (Logstash section)

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["http://hostname:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

Logstash.yml

I have set the http.host to 0.0.0.0

# ------------ Metrics Settings --------------
#
# Bind address for the metrics REST endpoint
#
 http.host: "0.0.0.0"
#
# Bind port for the metrics REST endpoint, this option also accept a range
# (9600-9700) and logstash will pick up the first available ports.
#
# http.port: 9600-9700

Logstash Filter Config

input {
  beats {
    port => "5044"
  }
}

filter {
    if [type] == "log4net" {
        grok {
            match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} \[%{NUMBER:threadid}\] %{WORD:level}\s*%{DATA:class} \[%{DATA:NDC}\]\s+-\s+%{GREEDYDATA:message}" ]
        }
        date {
            match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
            remove_field => ["timestamp"]
        }
        mutate {
            update => {
                "type" => "log4net-logs"
            }
        }
    }
}

output {
  elasticsearch {
    hosts => ["http://hostname:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}
3
elasticsearchlogstashfilebeatelk
http://hostname:5044: no such host which means that hostname cannot be resolved properly. Are you sure it's a valid host name?Val
if you're sure on the host name then maybe try using the fully qualified domain namec95mbq
@Val I am using a valid host name, its the same hostname i added to the ElaststicSearch host in the logstash configuration (hostname:9200) and filebeat seems to send data to elasticsearch without a problem. but the same hostname with port 5044 isnt working for logstasheagercoder
Is everything running on the same host (Filebeat, Logstash, ES)? How does your Logstash pipeline (input/filter/output) configuration look like?Val
@Val Filebeat is running locally and pushing to a remote server. ElasticSearch and Logstash are both installed on that remote server.. hence the hostname being the same for both, and i have allowed incoming traffic to port 9200, 5044, 9600 which are ports for elasticsearch and logstasheagercoder

3 Answers

1
votes

You can try using hostname:

hosts: ["hostname:5044"]
0
votes

As mentioned by @Adrian Dr try using:

hosts: ["hostname:5044"]

But also bind logstash to a single port:

http.port: 9600
0
votes

Same error. It's because you mention protocol.

You have to remove 'http' from hosts field.

hosts: ["somename.com:5044"]

or ip

hosts: ["10.10.10.1:5044"]