Hey there, let's walk through troubleshooting your Filebeat output test step by step—since you're new to the ELK stack, I'll break this down into actionable checks to get you connected smoothly:

1. Verify Network Connectivity First #

Before diving into configurations, rule out basic network hurdles:

• On Server B, test if you can reach Server A's target service port (either Logstash's default 5044 or Elasticsearch's default 9200) using these commands:

  # Test Logstash connectivity
  telnet <Server_A_IP> 5044
  # Test Elasticsearch connectivity
  curl -v http://<Server_A_IP>:9200
  

• If these fail, check Server A's firewall/security group to ensure the port is open for incoming traffic from Server B's IP address.

2. Double-Check Your Filebeat Configuration #

Open /etc/filebeat/filebeat.yml and verify the output section matches your setup:

Example for Logstash Output: #

output.logstash:
  # Target Logstash host on Server A
  hosts: ["<Server_A_IP>:5044"]
  # Uncomment below if Logstash uses SSL
  # ssl.enabled: true
  # ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Example for Elasticsearch Output: #

output.elasticsearch:
  # Target Elasticsearch host on Server A
  hosts: ["<Server_A_IP>:9200"]
  # Uncomment below if Elasticsearch uses authentication
  # username: "elastic"
  # password: "your_elastic_account_password"
  # ssl.enabled: true

• Watch out for typos in IP addresses, ports, or credentials—YAML is also strict about indentation, so make sure all nested fields are properly aligned.

3. Fix Your Test Command Syntax #

Your test command has a truncated -path.home parameter; simplify it using the default Filebeat home directory (which should be /usr/share/filebeat if you followed the official guide):

sudo /usr/share/filebeat/bin/filebeat test output -c /etc/filebeat/filebeat.yml

• Use sudo to avoid permission issues when reading the config file or accessing system resources.
• If you customized the Filebeat home directory, replace /usr/share/filebeat with your actual path.

4. Check Filebeat Logs for Detailed Errors #

If the test command fails, the Filebeat log will give you specific clues about what's wrong:

tail -f /var/log/filebeat/filebeat.log

Common errors to look for:

• connection refused: Network port is closed, or you used the wrong IP/port.
• authentication failed: Missing or incorrect username/password for Elasticsearch/Logstash.
• SSL handshake failed: Mismatched SSL certificates or disabled SSL in the config.

5. Validate Filebeat Template Compatibility #

Since you installed the Filebeat template on Server A:

• Ensure your Filebeat version on Server B matches the Elasticsearch version on Server A (major versions must align—e.g., Filebeat 8.x with ES 8.x).
• Verify the template exists in Elasticsearch by running this query (from Server A or any machine with ES access):

  curl -X GET "<Server_A_IP>:9200/_template/filebeat-*"
  

  If it's missing, re-run the template setup from Server B:

  sudo /usr/share/filebeat/bin/filebeat setup --index-management -c /etc/filebeat/filebeat.yml
  

Start with these checks, and you'll likely pinpoint the issue quickly. If you hit a specific error message, feel free to share it—I can help dig deeper!

内容的提问来源于stack exchange，提问作者Luan Nguyen