Skip to content
United Kingdom flag Ukraine flag White-blue-white flag

“Unknown beats protocol version: 71 /69”: using Winlogbeat with Graylog Beats input

I found myself scratching my head on a new deployment of the Elastic Winlogbeat client on Windows, where the intent was to forward Event Logs to Graylog.

In the graylog-server.log file, I saw:

ERROR [AbstractTcpTransport] Error in Input [Beats/...] (...) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 71)
ERROR [AbstractTcpTransport] Error in Input [Beats/...] (...) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 69)

I turned off TLS on the client and the receiving Graylog Input, thinking it might be some TLS-related issue, to the same error.

To cut a long story short, decimal 71 and decimal 69 are ASCII codes for capital G and capital E — the first two bytes of an HTTP request that the Winlogbeat client was making to the Graylog input. Clearly the input is not expecting to receive ASCII “GE” to start the request!

It turns out the Graylog beats input desires the logstash format, not elasticsearch. I had been ignorant in just modifying the example config in the output.elasticsearch section, when this is not what Graylog wants.

I commented out the entire output.elasticsearch section and moved that configuration (hosts and the ssl options) into an output.logstash YML node.

output.logstash:
   hosts: ["x.y.z.aa:5044"]

This was unclear enough to me that I thought connecting the error messages above with this solution may prove useful for someone else who has the issue.

Like this post?

If you would like to support the time and effort I have put into my tutorials and writing, please consider making a donation.

Post a Comment

On some sites, you must be logged in to post a comment. This is not the case on this site.
Your email address is not made public or shared. Required fields are marked with *.
*
*
*

Posting a comment signifies you accept the privacy policy.
Please note — usually your comment will appear straight away but sometimes it will be held for approval (this is due to the spam filter). If your comment is waiting to be approved, please don’t post it again! It will appear eventually.