Winfilebeat: Failed to connect to backoff - EOF

Hi All,

So, I am trying to collect Windows Firewall Logs on a Windows 2012R2 Server with the Sidecar filebeat collector.

Collector is configured liked this:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:\Windows\System32\LogFiles\Firewall\pfirewall.log

output.elasticsearch:
  hosts: ["XXX.XX.XXX.XX:5045"]

path:
  data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

There is a filebeat Input running at port 5045 on the Graylog server.

Graylog sidecar filebeat backend service is started and running at the Windows Server.

When i look in the filebeat logs at the Windows server i see several of these entries:

ERROR	pipeline/output.go:100	Failed to connect to backoff(elasticsearch(http://XXX.XX.XXX.XX:5036)): Get http://XXX.XX.XXX.XX:5036: EOF
INFO	pipeline/output.go:93	Attempting to reconnect to backoff(elasticsearch(http://XXX.XX.XXX.XX:5036)) with 4 reconnect attempt(s)
INFO	[publish]	pipeline/retry.go:189	retryer: send unwait-signal to consumer
INFO	[publish]	pipeline/retry.go:191	  done
INFO	[publish]	pipeline/retry.go:166	retryer: send wait signal to consumer
INFO	[publish]	pipeline/retry.go:168	  done

I am running a winlogbeat collector from the same Windows Server to Graylog without any problems.
Any tips on what could be the problem here?

Greetings,

Tom

the output is not “elasticsearch” it is “logstash” …

Thanks a lot, that solved it. Working perfectly now :grinning:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.