I have installed Filebeat version 8.10.2 on an Ubuntu server and configured it to send Apache access and error logs to Logstash. While the logs are displayed in Kibana, they are not parsing through their default ingest pipelines, causing issues with data visualization on the dashboard.
To set up Filebeat, I followed the instructions provided in the official documentation, along with additional articles for more specific guidance:
I also followed these three articles to load the necessary components for proper log processing:
Additionally, I referred to this Logstash documentation.
Here are the commands I executed for better clarity:
LOAD INDEX TEMPLATE:
filebeat setup --index-management -E output.logstash.enabled=false -E output.elasticsearch.username="elastic" -E output.elasticsearch.password="KkXXNnUzgahp" -E 'output.elasticsearch.hosts=["http://X.X.X.X:9200"]
LOAD KIBANA DASHBOARDS:
filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.username="elastic" -E output.elasticsearch.password="zgXahkXNnUp" -E output.elasticsearch.hosts=["http://X.X.X.X:9200"] -E setup.kibana.host=http://X.X.X.X:5601
LOAD PIPELINE:
filebeat setup --pipelines --modules apache --force-enable-module-filesets
I assumed that after loading the default ingest pipelines, the Apache error and access logs would be parsed without the need for additional configuration in Logstash. However, the logs are still not parsing as expected after applying the default ingestion pipeline.
Here is the detail of log:
Here is logstash config file:
input {
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => "http://x.x.x.x:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
action => "create"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "XXzgahpNnU"
}
} else {
elasticsearch {
hosts => "http://x.x.x.x:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
action => "create"
user => "elastic"
password => "XXzgahpNnU"
}
}
}
Despite following the steps and configurations mentioned, the logs are not being parsed correctly, as shown in the provided images. Required experts guidance.