Beat.name not populated with logstash output

christiaanvanaken · May 19, 2017, 12:30pm

Data from Metricbeat is send to my central Logstash server and from there the output goes to Elasticsearch. If I do this, the field beat.name is always empty. If I change the Metricbeat configuration to send it to Elasticsearch directly, the field beat.name is correctly filled in with the hostname. I followed the manual for installing and configuring Metricbeat.

Please help!

ruflin · May 19, 2017, 12:56pm

Please share your beat version, beat config, LS config, LS version.

christiaanvanaken · May 19, 2017, 1:17pm

metricbeat version 5.4.0
logstash 5.4.0

file /etc/metricbeat/metricbeat.yml:

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["monserver:5044"]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

ssl.certificate_authorities: ["/etc/metricbeat/certificate.crt"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

file /etc/logstash/conf.d/02-metricbeat.conf:

input {
beats {
port => 5044
codec => "json_lines"
ssl => true
ssl_certificate => "/etc/logstash/certificate.crt"
ssl_key => "/etc/logstash/certificate.key"
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

ruflin · May 22, 2017, 10:34am

Why do you use the json codec?

christiaanvanaken · May 22, 2017, 7:00pm

Well it does not matter if I put it in there or not. Either way it does give me the beat.name.

ruflin · May 23, 2017, 1:10pm

Can you enable the ruby debug output on LS to see if the events you receive that the beat.name set in it?

christiaanvanaken · May 24, 2017, 12:46pm

output received {"event"=>{"@timestamp"=>2017-05-24T12:48:18.417Z, "system"=>{"process"=>{"memory"=>{"rss"=>{"pct"=>0.0009, "bytes"=>3497984}, "size"=>224391168, "share"=>2859008}, "cmdline"=>"/usr/local/psa/admin/bin/modules/watchdog/monit -Ic /usr/local/psa/etc/modules/watchdog/monitrc", "pgid"=>824, "name"=>"monit", "cpu"=>{"start_time"=>"2017-05-02T22:03:36.000Z", "total"=>{"pct"=>0.0}}, "pid"=>824, "state"=>"sleeping", "fd"=>{"limit"=>{"hard"=>4096, "soft"=>1024}, "open"=>5}, "ppid"=>1, "username"=>"root"}}, "host"=>"", "metricset"=>{"rtt"=>55135, "module"=>"system", "name"=>"process"}, "GeoLocation"=>{}}}

I suppressed the real hostname, but it looks like the beat stuff is not coming to LS.

christiaanvanaken · May 24, 2017, 7:47pm

Problem solved, my mistake. I have more then one inpuf defined so I needed to add some tags to make sure the right filters and outputs are used.

system · June 21, 2017, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.