Hourly error since updating: ERROR [AbstractTcpTransport] Error in Input [Beats/xxx]

djc · December 9, 2022, 3:54pm

1. Describe your incident:

Yesterday I upgraded to Graylog 5.0. Due to requirements, I also upgraded mongodb from 4.0 > 4.2 > 4.4 > 5.0. I also upgraded Java 11 > Java 17. Elasticsearch was already on 7.10. Ever since, once an hour on the hour, I get an error in server.log relating to beat input.

The client sending the logs seems to be random. The input seems to be working. Logs are still being received from all clients. I am just curious as to why this started happening upon upgrade.

2. Describe your environment:

OS Information: Ubuntu 20.04 running on HyperV
Package Version:
Upgraded yesterday from Graylog 4.3 > 5.0
Mongodb upgraded from 4.0 > 4.2 > 4.4 > 5.0
Elasticsearch 7.10.2
Java 17
Sidecar 1.2
Service logs, configurations, and environment variables:
Snippet of server.log:

2022-12-09T04:41:11.172-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0x716af575, L:/10.7.44.14:5044 ! R:/10.128.70.102:51717]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)
2022-12-09T05:41:11.047-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0x1a7e3954, L:/10.7.44.14:5044 ! R:/10.7.10.1:64592]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)
2022-12-09T06:41:12.048-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0x23ad7cd2, L:/10.7.44.14:5044 ! R:/10.69.184.121:57173]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)
2022-12-09T07:41:13.865-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0x7aa9cbf0, L:/10.7.44.14:5044 ! R:/10.69.184.121:60117]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)
2022-12-09T08:41:13.906-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0xa3794a5e, L:/10.7.44.14:5044 ! R:/10.7.2.21:60670]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)
2022-12-09T09:41:14.467-05:00 ERROR [AbstractTcpTransport] Error in Input [Beats/637baf68d4546d3a3b8f97df] (channel [id: 0xd40db550, L:/10.7.44.14:5044 ! R:/10.69.184.122:63619]) (cause io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed: Connection reset by peer)

Input config:

Sidecar configuration:

(note - more event configuration. Don’t think any of it is an issue, though)

3. What steps have you already taken to try and solve the problem?

Unsure of steps to take since I was not receiving the error prior to upgrade to 5.0.

4. How can the community help?

Looking to see if anyone has encountered this and/or has a solution for it.

Thanks

tmacgbay · December 9, 2022, 8:09pm

What does your sidecar.yml file look like on the affected machines? That is the configuration part of Sidecar that creates the connection for configurations and data transfer.

Please use the </> forum tool on posted logs/code, it makes it easier to read!

gsmith · December 9, 2022, 11:09pm

Hey, just chiming in,
I noticed this.

perhaps try something like this. Use the beats port after the IP address.

output.logstash:
   hosts: ["10.7.44.14:5044"] <---- HERE
path:
  data: /var/lib/graylog-sidecar/collectors/filebeat/data
  logs: /var/lib/graylog-sidecar/collectors/filebeat/log

djc · December 13, 2022, 2:17pm

Here is the sidecar.yml

# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "https://10.7.x.x:9000/api"

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "1mon2r9p2isuma5leb....."

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: true

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the access list feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
#     collector_binaries_accesslist:
#       - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#       - "C:\\Program Files\\Filebeat\\filebeat.exe"
#
# Example disable access listing:
#     collector_binaries_accesslist: []
#
# Default:
# collector_binaries_accesslist:
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
#  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"

djc · December 13, 2022, 2:19pm

I think if it were the logstash output IP config, it would have been giving errors before the update and would error every time any of the servers using that config check in, instead of a random server once an hour

tmacgbay · December 13, 2022, 2:43pm

I think @gsmith is on to something. The output.logstash you is a different format than what I have seen… I am no expert in yml files but I do know they are VERY particular on spacing and indentation. much like the one @gsmith posted, mine looks like:

output.logstash:
   hosts: ["${user.BeatsInput}"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\log

maybe it’s not the problem. Test it anyway!

djc · December 13, 2022, 5:21pm

made the change and I am still getting the error every hour.

gsmith · December 13, 2022, 10:19pm

hey,

Ok , this is whatI see…

In the logs it shows this statement.

) failed: Connection reset by peer)

Im going off of your beat config you have this.

What I dont see is the beats port configured.
Basic Example:

or am i missing something?

djc · December 14, 2022, 12:37pm

Yeah, what you said makes sense.

I changed the config to:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}


# Define the output (we use Logstash for Graylog)
output.logstash:
   hosts: ["10.7.44.14:5044"]

and I am still getting the error once an hour.

As stated, everything seems to be working fine regardless. I am receiving logs from all hosts using the config and I am able to restart the process remotely through graylog.

I might try to update the sidecars to 1.3 and see if that makes a difference.

gsmith · December 14, 2022, 10:28pm

Hello,

You never know, I seenupdates resolve alot of issues and also create them.

djc · December 15, 2022, 5:06pm

I did an incremental update to 5.0.1 and it fixed the error.

Case closed, issued resolved!

system · December 29, 2022, 5:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat windows 7 error Graylog Central (peer support) sidecar , winlogbeat	3	506	June 8, 2020
Data coming to journel and not indexing into elasticsearch Graylog Central (peer support)	2	518	July 29, 2019
Looking for help with some errors we're receiving on our Windows TLS - [AbstractTcpTransport] Graylog Central (peer support)	4	520	October 18, 2023
Configuring MetricBeat Input Error Graylog Central (peer support)	17	2083	August 24, 2022
ERROR [NettyTransport] Error in Input [Beats/] Graylog Central (peer support)	2	482	March 4, 2019

Hourly error since updating: ERROR [AbstractTcpTransport] Error in Input [Beats/xxx]

Related topics