Can't ship logs with filebeat to logstash

elk6 · July 17, 2020, 8:22am

I'm trying to make filebeat send log to logstash on another machine and I just can't get it to work. This is the filebeat.yml configuration:

https://pastebin.com/8a2RtGBa (Using pastebin because of character limit)

This is the configuration on the machine that has logstash:

[root@ELK ~]$ cat /etc/logstash/conf.d/testing.conf 
input{
file{
path => "/var/log/commands.log"
}
beats{
port => 5044
}
}
filter {
if [path] == "/var/log/commands.log" {
grok{
match => { "message" => "\[(%{TIMESTAMP_ISO8601:sys_timestamp})\]\s(?<field1>[0-9a-zA-Z_-]+)\s(?<field2>[0-9a-zA-Z_-]+)\:USER=(?<field3>[0-9a-zA-Z_-]+)\sPWD=(?<field4>[0-9a-zA-Z_/-]+)\sPID=\[(?<field5>[0-9]+)\]\sCMD=\"(?<field6>.*)\"\sExit=\[(?<field7>[0-9]+)\]\sCONNECTION=(?<field8>.*)"
}
}
}
}
output{
elasticsearch { hosts => ["localhost:9200"]}
}

This is what I get if I try setting filebeat with "filebeat setup -e":

[root@server150 ~]# filebeat setup -e
2020-07-17T08:12:36.199Z        INFO    instance/beat.go:647    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-07-17T08:12:36.200Z        INFO    instance/beat.go:655    Beat ID: aa84fd5b-d016-4688-a4a1-172dbcf2054a
2020-07-17T08:12:36.202Z        INFO    [beat]  instance/beat.go:983    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "aa84fd5b-d016-4688-a4a1-172dbcf2054a"}}}
2020-07-17T08:12:36.203Z        INFO    [beat]  instance/beat.go:992    Build info      {"system_info": {"build": {"commit": "f79387d32717d79f689d94fda1ec80b2cf285d30", "libbeat": "7.8.0", "time": "2020-06-14T18:15:37.000Z", "version": "7.8.0"}}}
2020-07-17T08:12:36.203Z        INFO    [beat]  instance/beat.go:995    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.13.10"}}}
2020-07-17T08:12:36.204Z        INFO    [beat]  instance/beat.go:999    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-07-09T11:44:16Z","containerized":false,"name":"server150","ip":["127.0.0.1/8","*ip-of-thismachine*/25"],"kernel_version":"3.10.0-1062.18.1.el7.x86_64","mac":["00:0c:29:e5:a1:fa"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":8,"patch":2003,"codename":"Core"},"timezone":"UTC","timezone_offset_sec":0,"id":"3eec437c66d444a59ef5f075a429441d"}}}
2020-07-17T08:12:36.204Z        INFO    [beat]  instance/beat.go:1028   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 12559, "ppid": 11800, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2020-07-17T08:12:35.340Z"}}}
2020-07-17T08:12:36.204Z        INFO    instance/beat.go:310    Setup Beat: filebeat; Version: 7.8.0
2020-07-17T08:12:36.205Z        INFO    [publisher]     pipeline/module.go:113  Beat name: server150
2020-07-17T08:12:36.206Z        WARN    beater/filebeat.go:156  Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2020-07-17T08:12:36.206Z        ERROR   instance/beat.go:958    Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

This is what I get when I try to run filebeat with "filebeat -e":

[root@server150 ~]# filebeat -e
2020-07-17T08:16:47.104Z        INFO    instance/beat.go:647    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-07-17T08:16:47.104Z        INFO    instance/beat.go:655    Beat ID: aa84fd5b-d016-4688-a4a1-172dbcf2054a
2020-07-17T08:16:47.107Z        INFO    instance/beat.go:404    filebeat stopped.
2020-07-17T08:16:47.107Z        ERROR   instance/beat.go:958    Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).
Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).

Does anyone knows what's going on? I just can't get it to work. Huge thanks ahead!

A_Mightiev · July 17, 2020, 8:39am

the "filebeat setup" is not necessary unless you want to install templates and dashboards, and looks like is not configured in your yml file.
the option -e is to run on the background, if you are testing is better to keep it in your main console so you can easily stop it. when you try to run again "filebeat -e" it says another instance is running. try to kill the previous one.

elk6 · July 17, 2020, 8:42am

Thanks for the response. I've put the config of filebeat.yml in the pastebin file at the top. It wouldnt let met put it here since it's too long.

I did a quick

 ps -ef | grep filebeat
 kill (both results)
 systemctl restart filebeat
 filebeat  -e

and I still get the same response with the path.data

A_Mightiev · July 17, 2020, 8:52am

If you really want to use "setup" you must have a connection to elasticsearch, but in your yml file you are partially commenting it out:

    #output.elasticsearch:
      # Array of hosts to connect to.
      enabled: false

I would say is confusing for filebeat to read it. so remove that last line as well or enable the connection to elasticsearch, and disable logstash. only one connection should be allowed.

Since you are starting-testing, I would suggest to not use setup, and connect directly to logstash.
To reset the data transfer you need to delete the registry in /var/lib/filebeat/

 ps -ef | grep filebeat
 kill (both results)
 systemctl restart filebeat
 filebeat

elk6 · July 17, 2020, 8:53am

My bad! I don't want the setup, I acidentally put it here, on the machine, I've just put filebeat -e

elk6 · July 17, 2020, 8:56am

Should I do:

rm -rf /var/lib/filebeat/*
ps -ef | grep filebeat
kill whatever
systemctl restart filebeat
filebeat

?

A_Mightiev · July 17, 2020, 9:12am

oh yes I see, only one of the two

systemctl restart filebeat
filebeat

if you chose systemctl restart filebeat, it will run as daemon
if you chose filebeat it will run on your console.

only chose one.

elk6 · July 17, 2020, 9:17am

I noticed that when I restart filebeat, data.json loses permissions (not sure if that’s the problem since it worked before):

[root@server150 ~]# ll /var/lib/filebeat/registry/filebeat/
total 8
-rw------- 1 root root 623 Jul 17 09:13 data.json
-rwxrwxrwx 1 root root  16 Jul 13 11:01 meta.json
[root@server150 ~]# chmod 777 /var/lib/filebeat/registry/filebeat/*
[root@server150 ~]# ll /var/lib/filebeat/registry/filebeat/
total 8
-rwxrwxrwx 1 root root 623 Jul 17 09:13 data.json
-rwxrwxrwx 1 root root  16 Jul 13 11:01 meta.json
[root@server150 ~]# systemctl restart filebeat
[root@server150 ~]# ll /var/lib/filebeat/registry/filebeat/
total 8
-rw------- 1 root root 623 Jul 17 09:14 data.json
-rwxrwxrwx 1 root root  16 Jul 13 11:01 meta.json

elk6 · July 17, 2020, 1:18pm

Even after removing the registry directory recursivly, restarting filebeat I get the data.path error.

A_Mightiev · July 17, 2020, 1:29pm

Can you provide the tail of the logs
it should be in
/var/log/filebeat

elk6 · July 17, 2020, 1:43pm

There were multiple files so I printed them all with spaces in between. I couldn't find anything special in there

https://pastebin.com/ttQimSUu

system · August 14, 2020, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.