Logstash/Beats Error - Invalid Version of Beats Protocol
774 views
Skip to first unread message
Brandon Stephens
Nov 27, 2019, 12:34:25 PM11/27/19
to security-onion
All,
I am experimenting with winlogbeat on a Windows 10 machine. I am currently running Elastic 6.8.4 and winlogbeat 6.8.4. I have allowed the endpoint via so-allow but keep getting an error in logstash that the beats protocol version is invalid. This is causing a reset of the traffic from the master side.
The best that I can tell the logstash options in my winlogbeat.yml are correct, only change I made was to add the master ip.
Any idea on the next place to look?
thanks,
Brandon
logstash.log:
[2019-11-27T16:15:21,284][INFO ][org.logstash.beats.BeatsHandler] [local: 172.17.0.4:5044, remote: x.x.x.x:10293] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 71
winlogbeat.log
2019-11-27T12:02:55.694-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://x.x.x.x:5044)): Get http://x.x.x.x:5044: read tcp x.x.x.x:19439->x.x.x.x:5044: wsarecv: An existing connection was forcibly closed by the remote host.
Wes Lambert
Nov 27, 2019, 4:03:42 PM11/27/19
to securit...@googlegroups.com
Can you confirm the version of the Docker images, with the following?
sudo docker images
or from the output of the following:
curl -s localhost:9200
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/a701e0e7-398a-45a5-b5c9-26329f7c1da5%40googlegroups.com.
Brandon Stephens
Dec 2, 2019, 10:41:11 AM12/2/19
to security-onion
REPOSITORY TAG IMAGE ID CREATED SIZE
securityonionsolutions/so-freqserver latest 9ee51c8b110d 3 weeks ago 460MB
securityonionsolutions/so-domainstats latest 4095c497a4f9 3 weeks ago 499MB
securityonionsolutions/so-elastalert latest 3c8d4b846774 3 weeks ago 652MB
securityonionsolutions/so-curator latest 8bf3333d0e94 3 weeks ago 470MB
securityonionsolutions/so-kibana latest a03bfa06ca29 3 weeks ago 603MB
securityonionsolutions/so-logstash latest fdbe223faa7c 3 weeks ago 902MB
securityonionsolutions/so-elasticsearch latest c7faf40ccf78 3 weeks ago 825MB
{
"name" : "D6PLqV5",
"cluster_name" : "xxxxxxxxx",
"cluster_uuid" : "UnOZAGnHQcalbgn8bjocFg",
"version" : {
"number" : "6.8.4",
"build_flavor" : "oss",
"build_type" : "docker",
"build_hash" : "bca0c8d",
"build_date" : "2019-10-16T06:19:49.319352Z",
"build_snapshot" : false,
"lucene_version" : "7.7.2",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
On Wednesday, November 27, 2019 at 4:03:42 PM UTC-5, Wes wrote:
Can you confirm the version of the Docker images, with the following?sudo docker imagesor from the output of the following:curl -s localhost:9200Thanks,Wes
On Wed, Nov 27, 2019 at 12:34 PM Brandon Stephens <brandonst...@gmail.com> wrote:
All,--I am experimenting with winlogbeat on a Windows 10 machine. I am currently running Elastic 6.8.4 and winlogbeat 6.8.4. I have allowed the endpoint via so-allow but keep getting an error in logstash that the beats protocol version is invalid. This is causing a reset of the traffic from the master side.The best that I can tell the logstash options in my winlogbeat.yml are correct, only change I made was to add the master ip.Any idea on the next place to look?thanks,Brandonlogstash.log:[2019-11-27T16:15:21,284][INFO ][org.logstash.beats.BeatsHandler] [local: 172.17.0.4:5044, remote: x.x.x.x:10293] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 71winlogbeat.log2019-11-27T12:02:55.694-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://x.x.x.x:5044)): Get http://x.x.x.x:5044: read tcp x.x.x.x:19439->x.x.x.x:5044: wsarecv: An existing connection was forcibly closed by the remote host.
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/a701e0e7-398a-45a5-b5c9-26329f7c1da5%40googlegroups.com.
Wes Lambert
Dec 3, 2019, 7:46:32 AM12/3/19
to securit...@googlegroups.com
Hi Brandon,
From your log:
019-11-27T12:02:55.694-0500 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://x.x.x.x:5044)): Get http://x.x.x.x:5044: read tcp x.x.x.x:19439->x.x.x.x:5044: wsarecv: An existing connection was forcibly closed by the remote host.
...it appears as though it's trying to connect to Elasticsearch and not Logstash?
Have you ensure you have the correct settings remarked and unremarked in the winlogbeat config file?
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/5eaead87-29f1-48ae-b77e-696694c8533c%40googlegroups.com.
Brandon Stephens
Dec 3, 2019, 8:26:35 AM12/3/19
to security-onion
Thanks Wes, I didn't catch that [#] on the output.logstash setting. Removed that and we are good to go.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/5eaead87-29f1-48ae-b77e-696694c8533c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages