Publishing to Logstash fails with "connection reset by peer" message

Publishing to Logstash fails with "connection reset by peer" messageedit

Auditbeat requires a persistent TCP connection to Logstash. If a firewall interferes with the connection, you might see errors like this:

Failed to publish events caused by: write tcp ... write: connection reset by peer

To solve the problem:

  • make sure the firewall is not closing connections between Auditbeat and Logstash, or
  • set the ttl value in the Logstash output to a value that’s lower than the maximum time allowed by the firewall, and set pipelining to 0 (pipelining cannot be enabled when ttl is used).