search

counteractive / o365beat

Elastic Beat for fetching and shipping Office 365 audit events
Other
66 stars 27 forks source link

Logstash connection errors #45

Closed GenCr closed 4 years ago

GenCr commented 4 years ago

Good afternoon,

I've recently started using a Logstash output rather than ElasticSearch for the o365beat. Logstash is on the same host as the beat instance and Logstash forwards the logs onto ElasticSearch, as well as another output.

Since this configuration change I'm getting regular errors in the system log as follows:

o365beat[98265]: 2020-05-12T12:16:16.451+0100        ERROR        logstash/async.go:256        Failed to publish events caused by: write tcp [::1]:32906->[::1]:5045: write: connection reset by peer
o365beat[98265]: 2020-05-12T12:21:13.851+0100        ERROR        pipeline/output.go:121        Failed to publish events: write tcp 127.0.0.1:35260->127.0.0.1:5045: write: connection reset by peer
o365beat[98265]: 2020-05-12T12:21:13.851+0100        INFO        pipeline/output.go:95        Connecting to backoff(async(tcp://localhost:5045))
o365beat[98265]: 2020-05-12T12:21:13.852+0100        INFO        pipeline/output.go:105        Connection to backoff(async(tcp://localhost:5045)) established

I'm still gettin office 365 logs from the beat in ElasticSearch and it doesn't look like any logs are missing but I can't be sure.

Any idea on what I can check on why this error is coming up?

Thanks, Gen.

chris-counteractive commented 4 years ago

Sorry for the challenges! @GenCr could you please post your output configuration for the beat and the input configuration from logstash? Before we dig deeper, just checking if things are set up to use the "beats" type as it suggests in the readme. Thanks!

GenCr commented 4 years ago

Hi @chris-counteractive, no worries!

Here's the output configuration on the beat

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5045"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

and the input on the logstash:

input {
        beats {
                port => 5045
        }
}

Thanks, Gen.

GenCr commented 4 years ago

Hi,

Anything else I can check or any other information I can provide to assist?

Thanks, Gen.

GenCr commented 4 years ago

Hi,

Any ideas?

Thanks, Gen.

chris-counteractive commented 4 years ago

@GenCr sorry for the delayed response! The discussion here suggests resetting the client_activity_timeout.

It doesn't matter, but incidentally the docs use 5044, on the off chance there's a firewall somewhere.

I have a few updates in the pipe but none of my research would seem to apply, as the connectivity to logstash is done exclusively through libbeat (that is, we don't write the code that interfaces with logstash). Apologies again for the delay, hope this helps a bit - if the config change addresses the issue please let us know!

GenCr commented 4 years ago

Hi @chris-counteractive, no worries!

I tried increasing the timeout and it looks like that's fixed it, thanks!

chris-counteractive commented 4 years ago

So glad to hear it. I'm going to close this issue based on your last note; if you notice additional problems please comment or open a new one. Thanks for your patience!