We upgraded from 8.15.3 to 8.16.1 and found that filebeat started filling up syslog with debug log messages. It seems to ignore the to_syslog: false config. Downgraded to 8.15.3 and the problem was gone. Did we miss changes to logging or other major changes that could cause this?
Here is our current config.
BEAT_LOG_OPTS=
and
logging:
files:
keepfiles: 3
name: filebeat.log
path: /var/log/filebeat
level: debug
to_files: true
to_syslog: false
Hi @t.alexandersen, could you share how you're running and installed Filebeat?
ps aux |grep filebeat?Your logging configuration is correct, so Filebeat should be logging only to /var/log/filebeat. Filebeat does not support multiple log outputs.
/var/log/filebeat?Thanks for following up.
We found the reason for the new behaviour. It is caused by this issue:
logging.to_files: true is no longer honored unless you set logging.to_stderr: false.
The workaround is to add logging.to_stderr: false to your config.
Thanks @t.alexandersen
I'm just a bit puzzled because I still cannot reproduce it.
Could you try reproducing with the configuration from my comment and also post here the output of ./filebeat version?
In the GitHub issue we managed to find the root cause and a workaround. Look at the issue for more details.
As a workaround, one can set logging.to_stderr: false to stop logging to stderr.
Here is an example of how to get logging back to files:
logging.level: info
logging.to_files: true
logging.to_stderr: false
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.