Beats not outputting to logstash like expected

jcarapet · March 9, 2016, 10:33pm

Trying to troubleshoot issue with filebeat outputting to logstash. Determined it is a config issue, though cannot determine where the config issue lies. the filebeat.yml passes yaml lint, configtest, and is showing in debug logs that it is outputting events to logstash. It is however not getting to logstash server. Verified it's not a network issue by performing telnet to logstash node.

Putting my created config below. generated via Chef and Ruby, so just missing a nested field somewhere. if obvious let me know so I can adjust my generator method.

---
filebeat:
  prospectors:
  - paths:
    - "/var/log/audit/audit.log"
    - "/var/log/auth.log"
    - "/var/log/cron"
    - "/var/log/faillog"
    - "/var/log/httpd"
    - "/var/log/kern.log"
    - "/var/log/maillog"
    - "/var/log/messages"
    - "/var/log/mysqld.log"
    - "/var/log/secure"
    - "/var/log/sshd.log"
    - "/var/log/sudo/asu/*"
    - "/var/log/sudo/sudo.log"
    - "/var/log/yum.log"
    fields:
      ktopic: system
      index: jeff2
      fwder: filebeat
      fields_under_root: true
output:
  logstash:
    hosts:
    - logmgmt-dev.company.net:6785
    worker: 1
logging:
  to_syslog: true
  to_files: true
  files:
    path: var/log/filebeat
    name: filebeat
    rotateeverybytes: 10485760
  level: debug

andrewkroh · March 9, 2016, 11:02pm

I tried your config and it works for me. I only changed the IP/port to point to my local Logstash server that is running the following config.

input {
  beats {
    port => 5044
  }
}

output {
  stdout { codec => rubydebug{} }
}

Each time you restart a test you should delete the .filebeat file in the current directory so that any state is destroyed.

Your fields_under_root: true need to be moved two spaces to the left, but that won't prevent it from sending to Logstash.

jcarapet · March 10, 2016, 4:40pm

Interesting. So you were actually receiving the events in logtstash? Ours are not being pushed out. First thought was that it was a port issue, but telnet ipaddress port_number does work from the filebeat machine.

Maybe it is related to logstash version causing issues? Our version is 2.1.1, so not sure if that would affect things.

andrewkroh · March 10, 2016, 5:05pm

Yes, I was receiving the events in Logstash and they were being logged to the console. Did you try running with the simple Logstash config I provided ($ bin/logstash -f simple.conf)?

I used Logstash 2.2.2 for the test I ran, but it should work for 2.1.

jcarapet · March 10, 2016, 10:41pm

moving fields_under_root two spaces over apparently worked. Just double checked kibana and it is sending logs real time. No explanation why that affected it, but it's the only thing that has changed.

andrewkroh · March 10, 2016, 10:56pm

Glad you got things working. That is odd, because I tested with fields_under_root as you originally posted, and it simply showed up as any other field in the output like ktopic and fwder.