Can't read jounrald logs set within a folder about beats' input -> paths

Here we setup a journald log server and set a folder as filebeat's input paths. The output is elasticsearch. But filebeat can't crawl every jounal files within that folder. When we clearly define each journal file's path in filebeat's input paths, it works. But based on filebeat KB about input as jounrad, crawl should work when we define a path in place of many files within a folder. And we also find when we change output from elasticsearch to logstash, folder based crawl works and can be shown in dataview set in kibana by logstash. So we can say folder based crawl doesn't work only when output set as elasticsearch and choose filebeat index as data view in kibana. And this just only happens on choosing journad logs as input for filebeat and choose elasticsearch as output. Anyone can support this?

Hello,

You need to provide some evidence, share your filebeat configuration, share any filebeat logs with error that you have.

The output should not have any impact in the input, the fact that it works when using Logstash and not Elasticsearch may suggest some error in your configuration or some issue in your Elasticsearch.

You need to share your configurations.

Attached is my filebeat.yml's configuration, when I changed journald input paths from "specific files" to their parent folder path "/var/log/journal/remote", use filebeat setup to re-config, and restart service, then elasticsearch based filebeat index can only crawl one random journal log file, not all of them. As I found, when I change output to logstash, the input paths for journald logs can be completed crawled.




.

When I set a folder as filebeat jountal input's paths, and no change for kibana/elasticsearch output settings in filebeat.yml, after filebeat setup and filebeat service restart, I can't see all incoming jounrald logs from kibana kanboard.



In which path are your files?

If you use /var/log/journal/remote in filebeat, it will look for a file named remote in the path /var/log/journal, but it seems that remote is a directory and you want to consume the files inside this directory. Is that right?

In this case you need to use /var/log/journal/remote/*.journal, this will read every file inside that path.

yes. here I'm talking the folder "/var/log/journal/remote", which plays as journald log server and read by filebeat as journald input. I adjusted as your suggestion, but not lucky. filebeat setup and service restart seems ok. Here I show you real time filebeat index and logstash based data view crawl result from kibana for your reference. Currently I prepared two sets of filebeats service. One is drived by filebeat rpm and configured as journald input and elasticsearch output with kibana kanboard. The other filebeat is based on download tar ball and startup from command line, configured as journald input and logstash ouput directly.





I'm sorry, but it is really confusing what is working and what is not working.

Can you share the working configuration of your filebeat as a plain text, not as image? and also the non working configuration in the same way? Also, share your logstash configuration as well, provide context of what is the working configuration and what the not working configuration.

Avoid sharing screenshots of configuration and log files, share them a plain text using the Preformatted text option, the </> button.

I just startup two filebeat services, used to show filebeat -> elasticsearch can't crawl /var/log/journal/remote[journad log server]'s *.journal. But filebeast->logstash->elasticsearch works. As I said, in my practice, filebeat only can crawl all files, which should be one by one defined in filebeat.yml, which use filebeat -> elasticsearch mode for journald mode data crawl. I'm not sure it's a bug or not.

[root@elk filebeat-8.13.4-linux-x86_64]# ps -ef | grep -i filebeat
root 6217 1 0 May20 ? 00:00:32 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
root 45042 44946 60 09:22 pts/0 00:00:03 /root/patch/filebeat-8.13.4-linux-x86_64/filebeat --path.config /root/patch/filebeat-8.13.4-linux-x86_64 --path.data /root/patch/filebeat-8.13.4-linux-x86_64/data --path.logs /root/patch/filebeat-8.13.4-linux-x86_64/logs

filebeat.yml choose jounrald as input, elasticsearch as output. Can't crawl based on journald folder level: /var/log/journal/remote, but works define each journal file under paths:

filebeat.inputs:
- type: journald
  id: everything
  enabled: true
  paths:
    - /var/log/journal/remote/*.journal
    #- /var/log/journal/remote/remote-127.0.0.1.journal
    #- /var/log/journal/remote/remote-192.168.31.180.journal
    #- /var/log/journal/remote/remote-192.168.31.209.journal
    #- /var/log/journal/remote/remote-192.168.31.225.journal
  seek: cursor
  cursor_seek_fallback: since
  since: -24h

- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  #exclude_lines: ['^DBG']
  #include_lines: ['^ERR', '^WARN']
  #prospector.scanner.exclude_files: ['.gz$']
  #fields:
  #  level: debug
  #  review: 1

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
  #reload.period: 10s

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#name:
#tags: ["service-X", "web-tier"]
#fields:
#  env: staging

#setup.dashboards.enabled: false
#setup.dashboards.url:

setup.kibana:
  #host: "localhost:5601"
  host: "https://elk:5601"
  protocol: "https"
  username: "elastic"
  password: "xxxxx"
  ssl.verification_mode: none
  #space.id:


#cloud.id:
#cloud.auth:

output.elasticsearch:
  hosts: ["localhost:9200"]
  preset: balanced
  protocol: "https"
  #api_key: "id:api_key"
  username: "elastic"
  password: "xxxxx"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "203C304B8E75B82CE2A9EF454306CAB6E86E038390DC75AFF3EB94961CB39A18"

#output.logstash:
  #hosts: ["localhost:5044"]
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  #ssl.certificate: "/etc/pki/client/cert.pem"
  #ssl.key: "/etc/pki/client/cert.key"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  #- add_cloud_metadata: ~
  #- add_docker_metadata: ~
  #- add_kubernetes_metadata: ~

#logging.level: debug
#logging.selectors: ["*"]
#monitoring.enabled: false
#monitoring.cluster_uuid:
#monitoring.elasticsearch:

#instrumentation:
    #enabled: false
    #environment: ""
    #hosts:
    #  - http://localhost:8200
    #api_key:
    #secret_token:
    
#migration.6_to_7.enabled: true
setup.ilm.overwrite: true

filebeat.yml which is triggered from command line and choose journald as input and logstash as output, in this mode,filebeat can crawl the journal files under the folder: /var/log/journal/remote, and no need to define journal files one by one.

filebeat.inputs:
- type: journald
  id: everything
  enabled: true
  paths:
    - /var/log/journal/remote/

- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  #exclude_lines: ['^DBG']
  #include_lines: ['^ERR', '^WARN']
  #prospector.scanner.exclude_files: ['.gz$']
  #fields:
  #  level: debug
  #  review: 1

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
  #reload.period: 10s

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#name:
#tags: ["service-X", "web-tier"]

#fields:
#  env: staging
#setup.dashboards.enabled: false
#setup.dashboards.url:

setup.kibana:
  #host: "localhost:5601"
  host: "https://elk:5601"
  protocol: "https"
  username: "elastic"
  password: "xxxxx"
  ssl.verification_mode: none
  
  #space.id:

#cloud.id:
#cloud.auth:

#output.elasticsearch:
  hosts: ["localhost:9200"]
  preset: balanced
  #protocol: "https"
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

output.logstash:
  hosts: ["localhost:5044"]
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  #ssl.certificate: "/etc/pki/client/cert.pem"
  #ssl.key: "/etc/pki/client/cert.key"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

#logging.level: debug
#logging.selectors: ["*"]

#monitoring.enabled: false
#monitoring.cluster_uuid:
#monitoring.elasticsearch:

#instrumentation:
    #enabled: false
    #environment: ""
    #hosts:
    #  - http://localhost:8200
    #api_key:
    #secret_token:

#migration.6_to_7.enabled: true

logstash-from-filebeat.yml under /etc/logstash/conf.d/, used to receive journald logs, when choose filebeat as input mode. What I want to say is by this way[filebeat -> logstash -> elasticsearch], I can crawl journald logs under the path. But when use filebeat -> elasticsearch, I can't crawl. Have to define each journal files clearly under paths. As I know this only happen when crawl jouranld input logs. Hope you can verify in your lab or give solutions if have.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    ssl_enabled => true
    ssl_certificate_authorities => '/etc/logstash/certs/http_ca.crt'
    user => elastic
    password => "xxxxx"
    index => "elk-journald-log-%{+YYYY.MM}"
    data_stream => false
    codec => rubydebug
  }
}

Hello, do you have any comments about my update?

Hello,

Sorry, no, I do not have any comments, I do not use journald, but changing the output would not impact in the crawling of the source, I still think that this is some issue with your Elasticsearch, but you didn't share any logs when running filebeat with the elasticsearch output to show what is happening.

I was reading the documentation for the journald input and it seems that you need to use a path and not a glob, so the correct way would be to have /var/log/journal/remote, which was what you had before.

If this works with the Logstash output, it should work with the Elasticsearch output, unless there is some issue on the Elasticsearch side while indexing it, but for this you need to share logs from filebeat when the Elasticsearch output is configured.

Another thin that catch my eye is this:

Did you start them at the same time? What do you have in the logs for them?

Can you stop both filebeat and start the one configured to send to Elasticsearch using the same path as you are using in the one that is working with Logstash and then share the logs from it?

Share the logs as plain text.

Without logs is not possible to troubleshoot this.

Here I rollback as my original setting, and use "fiebeat setup and systemctl restart filebeat". Below is the cfg for journald input and related filebeat log for your reference.

filebeat.inputs:
- type: journald
  id: everything
  enabled: true
  paths:
    - /var/log/journal/remote
    #- /var/log/journal/remote/remote-127.0.0.1.journal
    #- /var/log/journal/remote/remote-192.168.31.180.journal
    #- /var/log/journal/remote/remote-192.168.31.209.journal
    #- /var/log/journal/remote/remote-192.168.31.225.journal
  seek: cursor
  cursor_seek_fallback: since
  since: -24h

{"log.level":"info","@timestamp":"2024-05-24T20:45:03.483+0800","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":811},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.484+0800","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":819},"message":"Beat ID: df87fd63-3f5a-40d7-b76a-f6cae44d7d49","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.539+0800","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1365},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"df87fd63-3f5a-40d7-b76a-f6cae44d7d49"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.539+0800","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1374},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"b24ddd14c936c216817afed0cc7d0b23fd920194","libbeat":"8.13.4","time":"2024-05-06T06:34:12.000Z","version":"8.13.4"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.539+0800","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1377},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":8,"version":"go1.21.9"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.542+0800","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1383},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2024-05-24T20:38:07+08:00","containerized":false,"name":"elk","ip":["127.0.0.1","192.168.8.104","192.168.31.104"],"kernel_version":"4.18.0-513.24.1.el8_9.x86_64","mac":["00:50:56:27:27:48","00:50:56:2e:6d:8c"],"os":{"type":"linux","family":"redhat","platform":"rocky","name":"Rocky Linux","version":"8.9 (Green Obsidian)","major":8,"minor":9,"patch":0,"codename":"Green Obsidian"},"timezone":"CST","timezone_offset_sec":28800,"id":"02102896377942289eff1e65ceb1fdff"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.543+0800","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1412},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"ambient":null},"cwd":"/root","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":2640,"ppid":2431,"seccomp":{"mode":"disabled","no_new_privs":false},"start_time":"2024-05-24T20:45:02.890+0800"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.543+0800","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":334},"message":"Setup Beat: filebeat; Version: 8.13.4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.549+0800","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.makeES","file.name":"elasticsearch/elasticsearch.go","file.line":63},"message":"Applying performance preset 'balanced': {\n  \"bulk_max_size\": 1600,\n  \"compression_level\": 1,\n  \"idle_connection_timeout\": \"3s\",\n  \"queue\": {\n    \"mem\": {\n      \"events\": 3200,\n      \"flush\": {\n        \"min_events\": 1600,\n        \"timeout\": \"10s\"\n      }\n    }\n  },\n  \"worker\": 1\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-05-24T20:45:03.549+0800","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.makeES","file.name":"elasticsearch/elasticsearch.go","file.line":66},"message":"Performance preset 'balanced' overrides user setting for field 'bulk_max_size'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.549+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.550+0800","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: elk","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.550+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.550+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.599+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.599+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.609+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.610+0800","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":254},"message":"Auto lifecycle enable success.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.615+0800","log.logger":"index-management.ilm","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt/lifecycle.(*stdManager).EnsurePolicy","file.name":"lifecycle/standard_manager.go","file.line":121},"message":"lifecycle policy filebeat successfully created.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.615+0800","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.applyLifecycleSettingsToTemplate","file.name":"idxmgmt/index_support.go","file.line":402},"message":"Set settings.index.lifecycle.name in template to filebeat as ILM is enabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:03.643+0800","log.logger":"template","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*templateBuilder).buildBody","file.name":"template/load.go","file.line":263},"message":"Existing template will be overwritten, as overwrite is enabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:06.731+0800","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).loadTemplate","file.name":"template/load.go","file.line":177},"message":"Try loading template filebeat-8.13.4 to Elasticsearch","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:07.332+0800","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).Load","file.name":"template/load.go","file.line":134},"message":"Template with name \"filebeat-8.13.4\" loaded.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:07.335+0800","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).Load","file.name":"template/load.go","file.line":150},"message":"Data stream with name \"filebeat-8.13.4\" already exists.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:07.335+0800","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":299},"message":"Loaded index template.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:07.335+0800","log.logger":"kibana","log.origin":{"function":"github.com/elastic/elastic-agent-libs/kibana.NewClientWithConfigDefault","file.name":"kibana/client.go","file.line":182},"message":"Kibana url: https://elk:5601","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-05-24T20:45:07.335+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-05-24T20:45:07.335+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:45:11.675+0800","log.logger":"kibana","log.origin":{"function":"github.com/elastic/elastic-agent-libs/kibana.NewClientWithConfigDefault","file.name":"kibana/client.go","file.line":182},"message":"Kibana url: https://elk:5601","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-05-24T20:45:11.676+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-05-24T20:45:11.676+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.263+0800","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadDashboards","file.name":"instance/beat.go","file.line":1052},"message":"Kibana dashboards successfully loaded.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.263+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.295+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.295+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.303+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-05-24T20:47:04.416+0800","log.logger":"load","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*RunnerList).Reload","file.name":"cfgfile/list.go","file.line":98},"message":"Unable to hash given config: missing field accessing '0.audit' (source:'/etc/filebeat/modules.d/gcp.yml.disabled')","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.438+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: cylance (protect)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.438+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.467+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.468+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.476+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.510+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-cylance-protect-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.545+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: elasticsearch (slowlog), elasticsearch (deprecation), elasticsearch (server), elasticsearch (gc), elasticsearch (audit)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.545+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.573+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.573+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.581+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.591+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-slowlog-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.594+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-slowlog-pipeline-plaintext","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.597+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-slowlog-pipeline-json","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.600+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-slowlog-pipeline-json-7","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.602+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-slowlog-pipeline-json-8","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.614+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-deprecation-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.616+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-deprecation-pipeline-plaintext","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.618+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-deprecation-pipeline-json","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.621+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-deprecation-pipeline-json-7","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.623+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-deprecation-pipeline-json-8","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.632+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-server-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.634+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-server-pipeline-plaintext","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.637+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-server-pipeline-json","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.640+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-server-pipeline-json-7","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.643+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-server-pipeline-json-8","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.648+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-gc-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.657+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-audit-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.661+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-audit-pipeline-json","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.664+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-elasticsearch-audit-pipeline-plaintext","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.682+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: netflow (log)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.683+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.716+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.716+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.723+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.735+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-netflow-log-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.751+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: okta (system)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.752+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.778+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.778+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.787+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.800+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-okta-system-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.818+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: redis (slowlog), redis (log)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.818+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.846+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.846+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.855+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.860+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-redis-slowlog-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.864+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-redis-log-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.887+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.888+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.919+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.919+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.928+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.938+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-system-syslog-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.966+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-system-auth-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.990+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: zoom (webhook)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:04.990+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.019+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.019+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.027+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.144+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.146+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-account","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.148+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-chat_channel","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.150+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-chat_message","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.153+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-meeting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.155+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-phone","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.157+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-recording","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.159+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-user","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.162+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-webinar","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.164+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-zoom-webhook-zoomroom","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.195+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: azure (platformlogs), azure (auditlogs), azure (signinlogs), azure (activitylogs)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.195+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.240+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.240+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.282+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.13.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.305+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-platformlogs-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.309+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-platformlogs-azure-shared-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.331+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-auditlogs-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.338+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-auditlogs-azure-shared-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.371+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-signinlogs-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.374+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-signinlogs-azure-shared-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.383+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-activitylogs-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.397+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":135},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-8.13.4-azure-activitylogs-azure-shared-pipeline","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.418+0800","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: f5 (bigipafm), f5 (bigipapm)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.418+0800","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.441+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":179},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-24T20:47:05.441+0800","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA","file.name":"tlscommon/tls_config.go","file.line":199},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}

Hello, Here I set journad's folder as filebeat input and set /tmp/filebeat as filebeat output, and I can see files under that journald's folder are well crawled. So the issue is to choose elasticsearch as output and it doesn't well filter each journald logs' content out from the folder. Any futher steps could I do to lock the reason?

From the screen you can see elasticsearch output only analysis some files during filebeat startup stage, then it stops working for most journald logs analysis.

Yeah, as mentioned I do not use journald, I have no Idea what it is not working.

It does not make any sense for it to work with one output, but not with the other, so this suggests an issue in one of your outputs, but there is nothing about it in the logs you shared until now.

I would suggest that you start the configurations again and retrace all the steps, use different indices names when using the logstash output and when using the elasticsearch output to discard any mapping issues and check the logs.