I want to install filebeat, and connect it to logz.io After following the set up for the filebeat.yml, my filebeat could not be started.
I am getting error:
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2020-03-15 23:21:00 EDT; 4s ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 3890 ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
Main PID: 3890 (code=exited, status=1/FAILURE)
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: filebeat.service: Start request repeated too quickly.
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: filebeat.service: Failed with result 'exit-code'.
Mar 15 23:21:00 hamilton-VirtualBox systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Here is my yml file: (Based on: https://docs.logz.io/shipping/log-sources/zeek.html)
filebeat.inputs:
- type: log
paths:
- /var/log/bro/current/conn.log
- /var/log/bro/current/ssh.log
- /var/log/bro/current/rdp.log
- /var/log/bro/current/ssl.log
- /var/log/bro/current/smb.log
- /var/log/bro/current/dpd.log
- /var/log/bro/current/dns.log
- /var/log/bro/current/http.log
fields:
logzio_codec: json
token: SqGguNxSjaFgKwnlfCMozZfhueBbAtNX
type: zeek
fields_under_root: true
encoding: utf-8
ignore_older: 3h
- type: log
paths:
- /var/log/bro/current/notice.log
fields:
logzio_codec: json
token: SqGguNxSjaFgKwnlfCMozZfhueBbAtNX
type: zeek_alert
fields_under_root: true
encoding: utf-8
ignore_older: 3h
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
fields:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
output.logstash:
hosts: ["app.logz.io:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
I have generated 4 filebeat.log, I am not sure if they are important.
| 2020-02-12T00:01:23.029-0500 | INFO | instance/beat.go:622 | Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] |
|---|---|---|---|
| 2020-02-12T00:01:23.030-0500 | INFO | instance/beat.go:630 | Beat ID: bedf985e-797a-45b9-9161-c79432aaafaf |
| 2020-02-11T23:50:07.311-0500 | INFO | instance/beat.go:622 | Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] |
| --- | --- | --- | --- |
| 2020-02-11T23:50:07.312-0500 | INFO | instance/beat.go:630 | Beat ID: bedf985e-797a-45b9-9161-c79432aaafaf |
| 2020-02-11T23:49:57.869-0500 | INFO | instance/beat.go:622 | Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] |
| --- | --- | --- | --- |
| 2020-02-11T23:49:57.869-0500 | INFO | instance/beat.go:630 | Beat ID: bedf985e-797a-45b9-9161-c79432aaafaf |
| 2020-02-11T23:48:45.136-0500 | INFO | instance/beat.go:622 | Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] |
| --- | --- | --- | --- |
| 2020-02-11T23:48:45.136-0500 | INFO | instance/beat.go:630 | Beat ID: bedf985e-797a-45b9-9161-c79432aaafaf |
Thx a lot