Beginner - metricbeat system dashboard with basic logstash output set

NeitoFR · June 25, 2020, 9:55am

Hi everyone,

I'm using ELK 7.5.2 with basic metricbeat modules (system, docker) I managed to load the Kibana dashboard to Kibana correctly. But now I'm making the logs pass through logstash (without any filter) and the dashboards are now empty (despite the fact that the log are visible in the discover tab under logstash-* pattern)

I foudn this in the documentation Set up dashboards for Logstash output and I tried to do it but the dashboard are still not filling with data.

What am I missing ?

Thanks

mtojek · June 25, 2020, 2:13pm

I think you need to share more details on the forum. Do you see any particular errors?

BTW You don't need to involve logstash in the middle while just playing with stuff around.

NeitoFR · June 25, 2020, 3:55pm

Thanks for the reply, I want to learn how to use logstash aswell that's why i'm trying to set it up.

There is no error on metricbeat log nor logstash log.

Here are complementary informations about my environment :

Everything run on a CentOS 7 machine on AWS.
Everything is inside Docker container (docker version is 19.03.12)
ELK and metricbeat are deployed in 7.5.2 version

Here is the beginning of the .yml file for metricbeat :

    setup.kibana.host: kibana:5601
     
    # setup.dashboards.enabled: true
  
    output.logstash.hosts: ["logstash:5044"]
    ... module declarations

And here is the logstash conf file used :

input {
    beats {
        port => "5044"
    }
}
# filter {
#
# }
output {
    elasticsearch {
        hosts => [ "elasticsearch:9200" ]
    }
}

The # setup.dashboards.enabled: true line is commented because I manuaylly loaded the dashboard from metricbeat container using the following command :

filebeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['elasticsearch:9200'] \
  -E setup.kibana.host=kibana:5601

as specified here

Logstash is ingesting the logs correctly but the dashboard stays empty

While those very same dashboard where correctly display data when logstach wasn't involved.

Maybe be reformulating the question would help :

Is there a specific manipulation to perform to make the metricbeat dashboard work when its logstash that send logs to elasticsearch ?

mtojek · June 26, 2020, 8:48am

If you consider that logstash consumes data correctly and doesn't pass them to the Elasticsearch, it might be a logstash issue. Did you try to set up the flow without logstash in the middle? Did it work for you? You might need to validate creation of index templates.

NeitoFR · June 26, 2020, 9:03am

Logstash does send the data to Elasticsearch correctly

I let it run over night and data keep flowing correctly, the same way it was without logstash :

Here is the last piece of data I've got from logstash :

And I just changed the output of metricbeat to elastic search and restarted it :

# output.logstash.hosts: ["logstash:5044"]
output.elasticsearch.hosts: ["elasticsearch:9200"]

And the dashboard is working instantly :

NeitoFR · June 26, 2020, 9:08am

Ok I found the reason, it's because the dashboard is set to 'listen' on the metricbeat-* index pattern, but that's not obvious and I can't find a way to make every dashboard object to change which index pattern there 'listening' to.

I guess there is a way to setup the dashboards directly with the index pattern set to logstash-*. I need to find how.

system · July 24, 2020, 11:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.