Beats generate files under /tmp

stefws · March 19, 2020, 8:44am

when installed and running auditbeat and filebeat [7.6.1] on Linux I find files like below under /tmp:

lrwxrwxrwx. 1 root root   66 Mar 19 09:15 filebeat.INFO -> filebeat.stws-guinea-pig.root.log.INFO.20200319-091516.3866
lrwxrwxrwx. 1 root root   67 Mar 19 09:25 auditbeat.INFO -> auditbeat.stws-guinea-pig.root.log.INFO.20200319-092507.4097
lrwxrwxrwx. 1 root root   69 Mar 19 09:15 filebeat.WARNING -> filebeat.stws-guinea-pig.root.log.WARNING.20200319-091516.3866
lrwxrwxrwx. 1 root root   70 Mar 19 09:25 auditbeat.WARNING -> auditbeat.stws-guinea-pig.root.log.WARNING.20200319-092507.4097
-rw-r--r--. 1 root root  192 Mar 19 09:15 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091516.3866
-rw-r--r--. 1 root root  192 Mar 19 09:15 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091513.3860
-rw-r--r--. 1 root root  192 Mar 19 09:12 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091248.3751
-rw-r--r--. 1 root root  192 Mar 19 09:15 filebeat.stws-guinea-pig.root.log.INFO.20200319-091516.3866
-rw-r--r--. 1 root root  192 Mar 19 09:15 filebeat.stws-guinea-pig.root.log.INFO.20200319-091513.3860
-rw-r--r--. 1 root root  192 Mar 19 09:12 filebeat.stws-guinea-pig.root.log.INFO.20200319-091248.3751
-rw-r--r--. 1 root root  192 Mar 19 09:18 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-091840.4048
-rw-r--r--. 1 root root  192 Mar 19 09:18 auditbeat.stws-guinea-pig.root.log.INFO.20200319-091840.4048
-rw-r-----. 1 root root  568 Mar 19 09:14 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091446.3849
-rw-r--r--. 1 root root  568 Mar 19 09:13 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091349.3836
-rw-r-----. 1 root root  568 Mar 19 09:12 filebeat.stws-guinea-pig.root.log.WARNING.20200319-091248.3798
-rw-r-----. 1 root root  568 Mar 19 09:14 filebeat.stws-guinea-pig.root.log.INFO.20200319-091446.3849
-rw-r--r--. 1 root root  568 Mar 19 09:13 filebeat.stws-guinea-pig.root.log.INFO.20200319-091349.3836
-rw-r-----. 1 root root  568 Mar 19 09:12 filebeat.stws-guinea-pig.root.log.INFO.20200319-091248.3798
-rw-r-----. 1 root root  568 Mar 19 09:25 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-092507.4097
-rw-r--r--. 1 root root  568 Mar 19 09:19 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-091908.4058
-rw-r--r--. 1 root root  568 Mar 19 09:18 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-091811.4037
-rw-r--r--. 1 root root  568 Mar 19 09:17 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-091748.4027
-rw-r-----. 1 root root  568 Mar 19 09:16 auditbeat.stws-guinea-pig.root.log.WARNING.20200319-091617.3976
-rw-r-----. 1 root root  568 Mar 19 09:25 auditbeat.stws-guinea-pig.root.log.INFO.20200319-092507.4097
-rw-r--r--. 1 root root  568 Mar 19 09:19 auditbeat.stws-guinea-pig.root.log.INFO.20200319-091908.4058
-rw-r--r--. 1 root root  568 Mar 19 09:18 auditbeat.stws-guinea-pig.root.log.INFO.20200319-091811.4037
-rw-r--r--. 1 root root  568 Mar 19 09:17 auditbeat.stws-guinea-pig.root.log.INFO.20200319-091748.4027
-rw-r-----. 1 root root  568 Mar 19 09:16 auditbeat.stws-guinea-pig.root.log.INFO.20200319-091617.3976

What would be the purposes of such and to what extent might their sizes grow/change/rotation eta.?

stefws · March 19, 2020, 8:55am

Seems they don't really grow much but just gets created at daemon launches...

Both .INFO and .WARNING seems to contains W event/Warnings, is that expected?

[root@stws-guinea-pig tmp]# cat auditbeat.INFO
Log file created at: 2020/03/19 09:25:07
Running on machine: stws-guinea-pig
Binary: Built with gc go1.13.8 for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
W0319 09:25:07.491949    4097 client_config.go:541] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W0319 09:25:07.492533    4097 client_config.go:546] error creating inClusterConfig, falling back to default config: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined

[root@stws-guinea-pig tmp]# cat auditbeat.WARNING
Log file created at: 2020/03/19 09:25:07
Running on machine: stws-guinea-pig
Binary: Built with gc go1.13.8 for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
W0319 09:25:07.491949    4097 client_config.go:541] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W0319 09:25:07.492533    4097 client_config.go:546] error creating inClusterConfig, falling back to default config: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined

Might it stem from having the add_kubernetes_metadata processor (even though this test server isn't a kubernetes box):

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

EDIT: These files doesn't appear when launched without the add_kubernetes_metadata processor, what's the purpose with these rather than logging in the general beat log (path.log)?

system · April 16, 2020, 10:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No logs found for filebeat Beats filebeat	9	717	December 31, 2020
Filebeat installation in linux Beats filebeat	5	1683	September 4, 2017
How to log auditbeat/metricbeat output not to syslog? Beats	2	500	July 15, 2019
Filebeat BeatUUID repeat Beats filebeat	2	361	May 31, 2018
How to know my filebeat is collecting the running container logs or not Beats filebeat	4	2366	June 4, 2018

Beats generate files under /tmp

Related topics