I have configured Filebeat to send data to logstash and logstash sends data to elasticsearch.

Nothing appears in logstash-* in kibana .. neither is there any data in filebeats-*.

Filebeat.yml:

filebeat.prospectors:

• input_type: log
  paths:
  #- /var/log/*.log
  • D:\ELKWorkspace\ELK1.mule\logs\elk2.log
  • D:\ELK\logs\Poornima\CKServer.log
    exclude_lines: ["^DBG"]
    include_lines: ["^ERR", "^WARN", "^INFO"]

output.logstash:

The Logstash hosts

hosts: ["localhost:5044"]

logstash.conf

input {
beats {
port => 5044
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Am not sure whether input port in logstash should be 5044 or 5043. Both do not work. However, Following are the console logs:

Beats

971×385 17.4 KB

logstash

1259×270 14.3 KB

Based on your configuration, the data will be written to filebeat-YYYY.MM.DD indices. What does this query return?

curl http://localhost:9200/_cat/indices?v

@andrewkroh .. it returns ..

image.png805×287 8.26 KB

I have pasted the configuration of logstash and filebeat for reference ... do I need to alter/add something in it?

Further i think logstash is not sending the data received from filebeat to elasticsearch...

image.png718×442 9.27 KB

My issue is resolved.. in case someone is facing the same prob.

1. In logstash.conf, remove

manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

2. In Filebeat, modify
   include_lines: ["^ERR", "^WARN", "^INFO"]
   as
   include_lines: ["ERR", "WARN", "INFO"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.