Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer work with Humio

Product/Components Affected

Affected Humio Versions

Humio, Filebeat, Winlogbeat, Metricbeat, Packetbeat, Logstash

all

Issue

Symptoms

  • Logstash 7.13 or later no longer ship logs to Humio

  • Beats log shippers of 7.13 or later no longer ship logs to Humio

  • Logstash reports Attempted to resurrect connection to dead ES instance, but got an error {:url=>”http://192.168.0.116:9200/”, :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>”Elasticsearch Unreachable: [http://192.168.0.116:9200/][Manticore::SocketException] Connection refused”}

When using or upgrading to Logstash or Beats log shippers to version 7.13 or later, logs no reach Humio.

Cause

Humio supports the Elastic Search (ES) API 6.x, Logstash and Beats log shippers of version 7.13 or higher no longer support the ES API 6.2. The result is that Beats and Logstash versions higher than 7.13 are no longer able to communicate with Humio server.

Solution

You will need to downgrade to a 7.12 or earlier version of the Logstash or Beats log shippers to retain compatibility.

You can download OSS versions of the Beats log shippers from the following links: