After starting filebeat, prospectors initially pushes some logs and then stops

Matthew_Prinvale · December 4, 2015, 7:56pm

Edit: I must have missed a part where you had to remove the elasticsearch portion from the config.yml. In previous versions removing it broke it.

Hopefully I explain this correct: Running filebeat with two prospectors (configs below). After I start filebeat the syslog and corelogger prospector launch and initially pushes some logs but then after a quick burst, stops shipping them. The log files in question continually get written to (about 2 or 3 lines/second) and it's nothing significant in terms of size.

version: filebeat 1.0.0

filebeat.yml

filebeat:
  registry_file: /var/lib/filebeat/registry
  config_dir: /etc/filebeat

output:
  elasticsearch:
    enabled: false
    hosts: ["localhost:9200"]

logstash:
  enabled: true
  hosts: ["my-host.com:5044"]

shipper:

syslog.yml

filebeat:
  prospectors:
  -
      paths:
      - /var/log/syslog
      - /var/log/auth.log

     input_type: log
     document_type: syslog

corelogger.yml

filebeat:
  prospectors:
  -
      paths:
      - /var/log/myapp/stats.log

     input_type: log
     document_type: corelogger

I looked over some of the default configs for the prospector but I don't see one that makes sense to change outside of its default value. Any help is appreciated.

ruflin · December 5, 2015, 9:31pm

The only strange thing I saw in your config is the indentation of the - after the prospector, but I assume that is only a copy / paste problem as you said, initially it works. Would it be possible that you run filebeat with the -e -d "*" flags? This will produce some more debugging output and should get give some deeper insights. What OS are you using?

Did you ever try to put both prospectors directly in the filebeat.yml file?

Matthew_Prinvale · December 8, 2015, 8:53pm

Issue solved. Edited OP

Noebas · January 3, 2016, 5:30pm

EDIT:

seems not the same after closer inspection