Beats behaviour

Igor_Dementyeff · June 5, 2016, 12:24pm

Hello all. I got a very strange problem with the Kibana and I honestly don't know where to search...
So the overview is this:
Kibana server with topbeat, packetbeat and filebeat running
Once in a day, or 2 days, filebeat stops showing any results in the dashboard I made.
Restart to Kibana and all 3 beats is not giving any solution, as also the removing and adding beats back to the index patterns
Under the /0/indices folder every beat got its own folder for today and 3 days back. Older folders are deleted by the cronjob every day
Kibana server is Linux, and it monitors the JBOSS linux servers. Filebeat is used for analysing the logs of JBOSS servers
Can someone please help me to solve the issue?

Thanks in advance
Igor

warkolm · June 5, 2016, 11:33pm

Is there data in the indices? Take a look with _cat/indices.

Igor_Dementyeff · June 6, 2016, 7:31am

Thanks for the answer. Yes, it is

warkolm · June 6, 2016, 7:45am

Please don't post pictures of text, they are difficult to read and some people may not be even able to see them.

Also, use the APIs, not the filesystem. What does that API show you?

Igor_Dementyeff · June 6, 2016, 7:49am

Sorry, will not do it again
The result:

-bash-4.1# curl 'localhost:9200/_cat/indices/twi*?v' health status index pri rep docs.count docs.deleted store.size pri.store.size

So it shows nothing as I assume

warkolm · June 6, 2016, 7:51am

Then it looks like a beats issue.

Can you post your configs and versions?

Igor_Dementyeff · June 6, 2016, 8:11am

2016/06/06 08:08:22.355246 beat.go:107: INFO Init Beat: topbeat; Version: 1.0.1
2016/06/06 08:09:13.320334 beat.go:107: INFO Init Beat: filebeat; Version: 1.0.1
2016/06/06 08:09:46.564029 beat.go:107: INFO Init Beat: packetbeat; Version: 1.0.1

Config - you mean the .yml files?

warkolm · June 6, 2016, 9:48pm

Yes.

Igor_Dementyeff · June 7, 2016, 4:55am

`filebeat:
prospectors:
-
paths:
- /opt/jboss/EAP/standalone/log/server.log
fields:
server: jboss

registry_file: /var/lib/filebeat/registry

output:
logstash:
hosts: ["badger:5018"]

shipper:

logging:
level: warning
to_files: true
to_syslog: false
files:
path: /var/log/filebeat
name: filebeat.log
keepfiles: 2
rotateeverybytes: 10485760 # = 10MB

interfaces:
device: any

protocols:
dns:
ports: [53]
include_authorities: true
include_additionals: true
http:
ports: [80, 8080, 8180, 8280, 8380]
hide_keywords: ['password']
memcache:
ports: [11211]

vi /etc/topbeat/topbeat.yml
input:
period: 10
procs: [".*"]

stats:
system: true
proc: true
filesystem: true

output:
logstash:
hosts: ["badger:5018"]

shipper:

logging:
to_syslog: false
to_files: true
files:
path: /var/log/topbeat
name: topbeat.log
rotateeverybytes: 10485760 # = 10MB
keepfiles: 2
level: warning
~

output:
logstash:
hosts: ["badger:5018"]

shipper:

logging:
to_files: true
to_syslog: false
files:
path: /var/log/packetbeat
name: packetbeat.log
rotateeverybytes: 10485760 # = 10MB
keepfiles: 2
level: warning

`

Igor_Dementyeff · June 9, 2016, 2:40pm

Mark, you here?

steffens · June 10, 2016, 10:18am

please upgrade your beats to more recent release. Old versions have a known bug of beats not sending new events if logstash/network failed way too often.