metricbeat 6.1.3

Question

metricbeat 6.1.3

mattmac1-zz opened this issue 7 years ago · 8 comments

Hi there,
Does metricbeat 6.1.3 work with the latest plugin version?

I get a failed to connect error in my metricbeat logs.

Thanks

Answer 1 · 2018-02-01T13:25:53.000Z

@mattmac1 Please provide the complete logs and ideally a pcap (recorded with Wireshark or tcpdump) to reproduce the issue.

Answer 2 · 2018-02-01T15:06:07.000Z

Sure thanks here you go - I included server.log and a pcap.

This seems to be the line from server.log that's probably most interesting:
2018-02-01T15:34:32.046+01:00 ERROR [NettyTransport] Error in Input [Beats/5a72cec5701fe1652408bade] (channel [id: 0x3e47cefa, /178.63.102.60:37856 => /10.10.10.15:5044]) java.lang.Exception: Unknown beats protocol version: 71

pcap.zip

Answer 3 · 2018-02-01T16:09:42.000Z

@mattmac1 Please post the complete logs and not just some arbitrary lines.

EDIT: Sorry, I missed the part that the log file is in the attached ZIP file. Everything's good. 😄

Answer 4 · 2018-02-01T16:12:52.000Z

@mattmac1 The pcap doesn't contain any valid Beats packets.

Maybe you recorded the wrong connection? All packets seem to have port 5044/tcp as source, but not as a destination port.

Answer 5 · 2018-02-01T17:56:23.000Z

Sorry my bad - correct one attached! thanks again!
pcap.zip

Answer 6 · 2018-02-01T18:04:41.000Z

@mattmac1 Again, from what I can see in that pcap file, there's not a single valid Beats packet sent to port 5044/tcp.

Please post the complete configuration of Metricbeat and of the Beats input in Graylog.

Answer 7 · 2018-02-02T07:45:56.000Z

Sure - here is the input and metricbeat config + metricbeat log attached. It's the default config with the logstash output configured to send to my graylog server. The traffic in the pcap yesterday is for sure coming from metricbeat as it's the only thing on the windows box that points at my graylog server. Thanks again for your help

metricbeat.zip

bind_address: 0.0.0.0
override_source: admin
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********

Answer 8 · 2018-02-02T11:58:44.000Z

@mattmac1 You're using the wrong output for Metricbeat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  hosts: ["144.76.119.126:5044"]

According to that configuration, you're using the Elasticsearch output (HTTP) to 144.76.119.126:5044. Take a look at the comment characters ('#').

The logs of Metricbeat tell the same story:

2018-02-01T20:01:40+01:00 INFO Elasticsearch url: http://144.76.119.126:5044
2018-02-01T20:01:45+01:00 ERR  Failed to connect: Get http://144.76.119.126:5044: EOF