Configuring Permissions and Index in elastic-agent.yml

Elasticisti · August 6, 2025, 11:22am

Hello,

I have a testagent sending successfully host metrics to ELK.

It is however not able to send logs, as well.

elastic-agent.yml:

id: b77b2ba4-ce32-40ae-8d6c-5595a53134ca
revision: 2
outputs:
  default:
    type: elasticsearch
    hosts:
      - https://172.30.68.64:9200
    ssl.ca_trusted_fingerprint: 3c10deb6c57f5fda966abceecb9510f1b24ce19653586d0554axxxxxxxxxxxxxxx
    api_key: '9eVPepgBAcLwyka50jID:KmE2dPQ7-xxxxxxxxxxxx  
    preset: balanced
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloud_defend-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_collector-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_symbolizer-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_host_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.status_change-default
          privileges:
            - auto_configure
            - create_doc
    _elastic_agent_checks:
      cluster:
        - monitor
agent:
  download:
    sourceURI: https://artifacts.elastic.co/downloads/
  monitoring:
    enabled: true
    use_output: default
    logs: true
    metrics: true
    traces: true
    namespace: default
  features: {}
inputs: 
  - type: system/metrics
     id: unique-system-metrics-input
     data_stream.namespace: default
    use_output: default
    streams:
      - metricsets:
        - cpu
        data_stream.dataset: system.cpu
      - metricsets:
        - memory
        data_stream.dataset: system.memory
      - metricsets:
        - network
        data_stream.dataset: system.network
      - metricsets:
        - filesystem
        data_stream.dataset: system.filesystem
      - metricsets:
        - process
filebeat.inputs:
- type: filestream
  id: cisb-jira-test
  paths:
    - /var/log/messages
    - /var/log/*.log
    - /var/atlassian/application-data/jira/log/audit/*.log
secret_references: []
namespaces:
  - default

these metrics arrive in ELK:

 streams:
      - metricsets:
        - cpu
        data_stream.dataset: system.cpu
      - metricsets:
        - memory
        data_stream.dataset: system.memory
      - metricsets:
        - network
        data_stream.dataset: system.network
      - metricsets:
        - filesystem
        data_stream.dataset: system.filesystem
      - metricsets:
        - process

these don´t

filebeat.inputs:
- type: filestream
  id: cisb-jira-test
  paths:
    - /var/log/messages
    - /var/log/*.log
    - /var/atlassian/application-data/jira/log/audit/*.log

I estimate that I have to set index and permission for the Filebeat-logs as well:

Example:

output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        # existing index
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        # new Atlassian-Audit-Logs-index
        - names:
            - logs-elastic_agent.jira_audit_default
          privileges:
            - auto_configure
            - create_doc

Do I think it correctly that the new index "logs-elastic_agent.jira_audit_default" has to be created in KIBANA in advance or the agent would create it automatically with the new data?

Thank you very much for a short confirmation!

Best regards

EI

Tortoise · August 6, 2025, 12:09pm

Hello @Elasticisti

We can check the filebeat logs to see if there are any errors?

Since metrics data is sent & logs data is not sent, maybe we review if proper file permissions are in place to read the file/path to elastic-agent.

If yes just to try we can add the data_stream.dataset & data_stream.namespace parameters to see what is the outcome.

filebeat.inputs:
- type: filestream
  id: cisb-jira-test
  paths:
    - /var/log/messages
    - /var/log/*.log
    - /var/atlassian/application-data/jira/log/audit/*.log
  data_stream.dataset: jira.audit
  data_stream.namespace: default

Post this if still issue persists than we will have to review the logs in detail for finding the exact cause of the issue.

Thanks!!

Elasticisti · August 6, 2025, 1:15pm

Hi,

you find enclosed some Logs:

{"log.level":"info","@timestamp":"2025-08-06T15:06:21.264+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:21.264+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:26.806+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:26.807+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:29.357+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:29.357+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:29.548+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:29.548+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:31.256+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:31.257+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:41.427+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:41.427+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:42.815+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:42.815+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:48.231+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477200384}}}},"cpu":{"system":{"ticks":41470,"time":{"ms":10}},"total":{"ticks":144820,"time":{"ms":50},"value":144820},"user":{"ticks":103350,"time":{"ms":40}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":14},"info":{"ephemeral_id":"79cdeea4-501b-44d6-83bd-6070ae0fc2ad","uptime":{"ms":82530135},"version":"9.1.0"},"memstats":{"gc_next":81306138,"memory_alloc":44428112,"memory_total":5917061144,"rss":90279936},"runtime":{"goroutines":53}},"filebeat":{"events":{"active":4,"added":18,"done":18},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":6,"active":0,"batches":2,"total":6},"read":{"bytes":456,"errors":2},"write":{"bytes":3625,"latency":{"histogram":{"count":5156,"max":111,"mean":34.7685546875,"median":34,"min":22,"p75":36,"p95":42.75,"p99":54,"p999":110.62500000000034,"stddev":5.65496769485218}}}},"pipeline":{"clients":1,"events":{"active":2,"filtered":12,"published":6,"total":18},"queue":{"acked":6,"added":{"bytes":9693,"events":6},"consumed":{"bytes":9693,"events":6},"filled":{"bytes":3231,"events":2,"pct":0.000625},"max_bytes":0,"max_events":3200,"removed":{"bytes":9693,"events":6}}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.04,"15":0.08,"5":0.07,"norm":{"1":0.01,"15":0.02,"5":0.0175}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:48.276+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477462528}}}},"cpu":{"system":{"ticks":23810,"time":{"ms":10}},"total":{"ticks":83750,"time":{"ms":60},"value":83750},"user":{"ticks":59940,"time":{"ms":50}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":15},"info":{"ephemeral_id":"ec4c98db-f3bb-4364-8f9c-f4224f3b1b0e","uptime":{"ms":82530179},"version":"9.1.0"},"memstats":{"gc_next":82004954,"memory_alloc":37374680,"memory_total":2642983312,"rss":72843264},"runtime":{"goroutines":57}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"acked":4,"active":0,"batches":1,"total":4},"read":{"bytes":254,"errors":1},"write":{"bytes":3818,"latency":{"histogram":{"count":1376,"max":173,"mean":39.4384765625,"median":37,"min":26,"p75":41,"p95":52,"p99":76.5,"p999":172.17500000000075,"stddev":9.467260816447288}}}},"pipeline":{"clients":4,"events":{"active":0,"published":4,"total":4},"queue":{"acked":4,"added":{"bytes":11559,"events":4},"consumed":{"bytes":11559,"events":4},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":11559,"events":4}}}},"metricbeat":{"beat":{"stats":{"events":4,"success":4}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.04,"15":0.08,"5":0.07,"norm":{"1":0.01,"15":0.02,"5":0.0175}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:48.282+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477462528}}}},"cpu":{"system":{"ticks":695710,"time":{"ms":260}},"total":{"ticks":1731220,"time":{"ms":670},"value":1731220},"user":{"ticks":1035510,"time":{"ms":410}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":11},"info":{"ephemeral_id":"2cd5a5ed-6cf7-4037-bac8-8ae1e18636b0","uptime":{"ms":82530152},"version":"9.1.0"},"memstats":{"gc_next":92205050,"memory_alloc":43984256,"memory_total":178755899128,"rss":122703872},"runtime":{"goroutines":53}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":5}},"output":{"events":{"acked":937,"active":0,"batches":3,"total":937},"read":{"bytes":24818,"errors":3},"write":{"bytes":213516,"latency":{"histogram":{"count":7601,"max":191,"mean":71.72265625,"median":70,"min":35,"p75":78,"p95":99,"p99":122.75,"p999":190.8750000000001,"stddev":15.284260771111436}}}},"pipeline":{"clients":5,"events":{"active":261,"published":908,"total":908},"queue":{"acked":937,"added":{"bytes":1743683,"events":908},"consumed":{"bytes":1780193,"events":937},"filled":{"bytes":517263,"events":261,"pct":0.0815625},"max_bytes":0,"max_events":3200,"removed":{"bytes":1780193,"events":937}}}},"metricbeat":{"system":{"cpu":{"events":3,"success":3},"filesystem":{"events":9,"success":9},"memory":{"events":3,"success":3},"network":{"events":9,"success":9},"process":{"events":884,"success":884}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.04,"15":0.08,"5":0.07,"norm":{"1":0.01,"15":0.02,"5":0.0175}}}}},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:48.485+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477478912}}}},"cpu":{"system":{"ticks":24410,"time":{"ms":10}},"total":{"ticks":86110,"time":{"ms":60},"value":86110},"user":{"ticks":61700,"time":{"ms":50}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":17},"info":{"ephemeral_id":"1540a3d6-11cf-4b17-a6eb-6fb064e83986","uptime":{"ms":82530118},"version":"9.1.0"},"memstats":{"gc_next":82669578,"memory_alloc":37601416,"memory_total":2776061880,"rss":75771904},"runtime":{"goroutines":69}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":6}},"output":{"events":{"acked":6,"active":0,"batches":1,"total":6},"read":{"bytes":306,"errors":1},"write":{"bytes":2730,"latency":{"histogram":{"count":1376,"max":141,"mean":37.4609375,"median":36,"min":11,"p75":39,"p95":46,"p99":62,"p999":139.95000000000095,"stddev":6.661928145896933}}}},"pipeline":{"clients":6,"events":{"active":0,"published":6,"total":6},"queue":{"acked":6,"added":{"bytes":9518,"events":6},"consumed":{"bytes":9518,"events":6},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":9518,"events":6}}}},"metricbeat":{"http":{"json":{"events":6,"success":6}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.04,"15":0.08,"5":0.07,"norm":{"1":0.01,"15":0.02,"5":0.0175}}}}},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:51.415+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:51.415+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:56.820+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:06:56.820+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:01.440+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:01.440+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:11.434+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:11.434+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:12.824+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:12.824+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:18.234+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":476790784}}}},"cpu":{"system":{"ticks":41490,"time":{"ms":20}},"total":{"ticks":144900,"time":{"ms":80},"value":144900},"user":{"ticks":103410,"time":{"ms":60}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":14},"info":{"ephemeral_id":"79cdeea4-501b-44d6-83bd-6070ae0fc2ad","uptime":{"ms":82560142},"version":"9.1.0"},"memstats":{"gc_next":81317754,"memory_alloc":37168192,"memory_total":5918494080,"rss":90279936},"runtime":{"goroutines":53}},"filebeat":{"events":{"active":4,"added":14,"done":14},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":6,"active":0,"batches":2,"total":6},"read":{"bytes":456,"errors":2},"write":{"bytes":3551,"latency":{"histogram":{"count":5158,"max":111,"mean":34.7744140625,"median":34,"min":22,"p75":36,"p95":42.75,"p99":54,"p999":110.62500000000034,"stddev":5.654168267508692}}}},"pipeline":{"clients":1,"events":{"active":2,"filtered":8,"published":6,"total":14},"queue":{"acked":6,"added":{"bytes":9693,"events":6},"consumed":{"bytes":9693,"events":6},"filled":{"bytes":3231,"events":2,"pct":0.000625},"max_bytes":0,"max_events":3200,"removed":{"bytes":9693,"events":6}}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.02,"15":0.08,"5":0.06,"norm":{"1":0.005,"15":0.02,"5":0.015}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:18.276+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477052928}}}},"cpu":{"system":{"ticks":23820,"time":{"ms":10}},"total":{"ticks":83770,"time":{"ms":20},"value":83770},"user":{"ticks":59950,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":15},"info":{"ephemeral_id":"ec4c98db-f3bb-4364-8f9c-f4224f3b1b0e","uptime":{"ms":82560184},"version":"9.1.0"},"memstats":{"gc_next":82004954,"memory_alloc":37631872,"memory_total":2643240504,"rss":72843264},"runtime":{"goroutines":57}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":1376,"max":173,"mean":39.4384765625,"median":37,"min":26,"p75":41,"p95":52,"p99":76.5,"p999":172.17500000000075,"stddev":9.467260816447288}}}},"pipeline":{"clients":4,"events":{"active":0},"queue":{"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.02,"15":0.08,"5":0.06,"norm":{"1":0.005,"15":0.02,"5":0.015}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:18.279+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477315072}}}},"cpu":{"system":{"ticks":695970,"time":{"ms":260}},"total":{"ticks":1731860,"time":{"ms":640},"value":1731860},"user":{"ticks":1035890,"time":{"ms":380}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":11},"info":{"ephemeral_id":"2cd5a5ed-6cf7-4037-bac8-8ae1e18636b0","uptime":{"ms":82560148},"version":"9.1.0"},"memstats":{"gc_next":92689290,"memory_alloc":67219488,"memory_total":178823742296,"rss":122703872},"runtime":{"goroutines":53}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":5}},"output":{"events":{"acked":935,"active":0,"batches":3,"total":935},"read":{"bytes":24766,"errors":3},"write":{"bytes":214973,"latency":{"histogram":{"count":7604,"max":191,"mean":71.72265625,"median":70,"min":35,"p75":78,"p95":99,"p99":122.75,"p999":190.8750000000001,"stddev":15.284260771111436}}}},"pipeline":{"clients":5,"events":{"active":232,"published":906,"total":906},"queue":{"acked":935,"added":{"bytes":1735589,"events":906},"consumed":{"bytes":1782648,"events":935},"filled":{"bytes":470204,"events":232,"pct":0.0725},"max_bytes":0,"max_events":3200,"removed":{"bytes":1782648,"events":935}}}},"metricbeat":{"system":{"cpu":{"events":3,"success":3},"filesystem":{"events":9,"success":9},"memory":{"events":3,"success":3},"network":{"events":9,"success":9},"process":{"events":882,"success":882}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.02,"15":0.08,"5":0.06,"norm":{"1":0.005,"15":0.02,"5":0.015}}}}},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:18.484+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477315072}}}},"cpu":{"system":{"ticks":24420,"time":{"ms":10}},"total":{"ticks":86130,"time":{"ms":20},"value":86130},"user":{"ticks":61710,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":17},"info":{"ephemeral_id":"1540a3d6-11cf-4b17-a6eb-6fb064e83986","uptime":{"ms":82560116},"version":"9.1.0"},"memstats":{"gc_next":82669578,"memory_alloc":37982664,"memory_total":2776443128,"rss":75771904},"runtime":{"goroutines":69}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":6}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":1376,"max":141,"mean":37.4609375,"median":36,"min":11,"p75":39,"p95":46,"p99":62,"p999":139.95000000000095,"stddev":6.661928145896933}}}},"pipeline":{"clients":6,"events":{"active":0},"queue":{"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.02,"15":0.08,"5":0.06,"norm":{"1":0.005,"15":0.02,"5":0.015}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:21.445+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:21.445+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:26.828+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:26.829+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:29.348+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:29.348+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:29.547+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:29.547+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:31.439+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:31.440+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:41.437+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:41.438+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:42.837+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:42.837+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:48.231+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477818880}}}},"cpu":{"system":{"ticks":41510,"time":{"ms":20}},"total":{"ticks":144960,"time":{"ms":60},"value":144960},"user":{"ticks":103450,"time":{"ms":40}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":14},"info":{"ephemeral_id":"79cdeea4-501b-44d6-83bd-6070ae0fc2ad","uptime":{"ms":82590135},"version":"9.1.0"},"memstats":{"gc_next":81317754,"memory_alloc":40088632,"memory_total":5921414520,"rss":90279936},"runtime":{"goroutines":53}},"filebeat":{"events":{"active":4,"added":18,"done":18},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":6,"active":0,"batches":2,"total":6},"read":{"bytes":456,"errors":2},"write":{"bytes":3588,"latency":{"histogram":{"count":5160,"max":111,"mean":34.77734375,"median":34,"min":22,"p75":36,"p95":42.75,"p99":54,"p999":110.62500000000034,"stddev":5.652988905821056}}}},"pipeline":{"clients":1,"events":{"active":2,"filtered":12,"published":6,"total":18},"queue":{"acked":6,"added":{"bytes":9693,"events":6},"consumed":{"bytes":9693,"events":6},"filled":{"bytes":3231,"events":2,"pct":0.000625},"max_bytes":0,"max_events":3200,"removed":{"bytes":9693,"events":6}}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.01,"15":0.07,"5":0.05,"norm":{"1":0.0025,"15":0.0175,"5":0.0125}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:48.276+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477556736}}}},"cpu":{"system":{"ticks":23830,"time":{"ms":10}},"total":{"ticks":83800,"time":{"ms":30},"value":83800},"user":{"ticks":59970,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":15},"info":{"ephemeral_id":"ec4c98db-f3bb-4364-8f9c-f4224f3b1b0e","uptime":{"ms":82590185},"version":"9.1.0"},"memstats":{"gc_next":82004954,"memory_alloc":39233848,"memory_total":2644842480,"rss":72843264},"runtime":{"goroutines":57}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"acked":4,"active":0,"batches":1,"total":4},"read":{"bytes":254,"errors":1},"write":{"bytes":3731,"latency":{"histogram":{"count":1377,"max":173,"mean":39.4345703125,"median":37,"min":26,"p75":41,"p95":52,"p99":76.5,"p999":172.17500000000075,"stddev":9.469503693752575}}}},"pipeline":{"clients":4,"events":{"active":0,"published":4,"total":4},"queue":{"acked":4,"added":{"bytes":11557,"events":4},"consumed":{"bytes":11557,"events":4},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":11557,"events":4}}}},"metricbeat":{"beat":{"stats":{"events":4,"success":4}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.01,"15":0.07,"5":0.05,"norm":{"1":0.0025,"15":0.0175,"5":0.0125}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:48.279+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477818880}}}},"cpu":{"system":{"ticks":696220,"time":{"ms":250}},"total":{"ticks":1732520,"time":{"ms":660},"value":1732520},"user":{"ticks":1036300,"time":{"ms":410}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":11},"info":{"ephemeral_id":"2cd5a5ed-6cf7-4037-bac8-8ae1e18636b0","uptime":{"ms":82590153},"version":"9.1.0"},"memstats":{"gc_next":94132530,"memory_alloc":44357400,"memory_total":178892281440,"rss":123097088},"runtime":{"goroutines":53}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":5}},"output":{"events":{"acked":1069,"active":0,"batches":3,"total":1069},"read":{"bytes":28250,"errors":3},"write":{"bytes":243789,"latency":{"histogram":{"count":7607,"max":191,"mean":71.72265625,"median":70,"min":35,"p75":78,"p95":99,"p99":122.75,"p999":190.8750000000001,"stddev":15.284260771111436}}}},"pipeline":{"clients":5,"events":{"active":69,"published":906,"total":906},"queue":{"acked":1069,"added":{"bytes":1735635,"events":906},"consumed":{"bytes":2039661,"events":1069},"filled":{"bytes":166178,"events":69,"pct":0.0215625},"max_bytes":0,"max_events":3200,"removed":{"bytes":2039661,"events":1069}}}},"metricbeat":{"system":{"cpu":{"events":3,"success":3},"filesystem":{"events":9,"success":9},"memory":{"events":3,"success":3},"network":{"events":9,"success":9},"process":{"events":882,"success":882}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.01,"15":0.07,"5":0.05,"norm":{"1":0.0025,"15":0.0175,"5":0.0125}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:48.484+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":192,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":477560832}}}},"cpu":{"system":{"ticks":24430,"time":{"ms":10}},"total":{"ticks":86170,"time":{"ms":40},"value":86170},"user":{"ticks":61740,"time":{"ms":30}}},"handles":{"limit":{"hard":524288,"soft":524287},"open":17},"info":{"ephemeral_id":"1540a3d6-11cf-4b17-a6eb-6fb064e83986","uptime":{"ms":82590121},"version":"9.1.0"},"memstats":{"gc_next":82669578,"memory_alloc":39764976,"memory_total":2778225440,"rss":75771904},"runtime":{"goroutines":69}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":6}},"output":{"events":{"acked":6,"active":0,"batches":1,"total":6},"read":{"bytes":306,"errors":1},"write":{"bytes":2758,"latency":{"histogram":{"count":1377,"max":141,"mean":37.4619140625,"median":36,"min":11,"p75":39,"p95":46,"p99":62,"p999":139.95000000000095,"stddev":6.661347420857491}}}},"pipeline":{"clients":6,"events":{"active":0,"published":6,"total":6},"queue":{"acked":6,"added":{"bytes":9515,"events":6},"consumed":{"bytes":9515,"events":6},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":9515,"events":6}}}},"metricbeat":{"http":{"json":{"events":6,"success":6}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.01,"15":0.07,"5":0.05,"norm":{"1":0.0025,"15":0.0175,"5":0.0125}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:51.434+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:51.434+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:56.837+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:07:56.837+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:08:01.437+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":180,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-06T15:08:01.437+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":207,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}

I have changed the Agent-Config and restarted everything:


id: b77b2ba4-ce32-40ae-8d6c-5595a53134ca
revision: 2
outputs:
  default:
    type: elasticsearch
    hosts:
      - https://172.30.68.64:9200
    ssl.ca_trusted_fingerprint: 3c10deb6c57f5fda966abceecb9510f1b24ce19653586dxxxxxxxxxxxxxxxxxxxx
    api_key: '9eVPepgBAcLwyka50jID:KmE2dxxxxxxxxxxxxxxx'
    preset: balanced
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices:
        - names:
            - logs-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.apm_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.auditbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloud_defend-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.cloudbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.elastic_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.endpoint_security-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat_input-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.filebeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.fleet_server-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.heartbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.metricbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.osquerybeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - metrics-elastic_agent.packetbeat-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_collector-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_elastic_symbolizer-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.pf_host_agent-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.status_change-default
          privileges:
            - auto_configure
            - create_doc
        - names:
            - logs-elastic_agent.jira_audit_default
          privileges:
            - auto_configure
            - create_doc
    _elastic_agent_checks:
      cluster:
        - monitor
agent:
  download:
    sourceURI: https://artifacts.elastic.co/downloads/
  monitoring:
    enabled: true
    use_output: default
    logs: true
    metrics: true
    traces: true
    namespace: default
  features: {}
inputs: 
#Collecting system metrics
  - type: system/metrics
    # Each input must have a unique ID.
    id: unique-system-metrics-input
    # Namespace name must conform to the naming conventions for Elasticsearch indices, cannot contain dashes (-), and cannot exceed 100 bytes
    # For index naming restrictions, see https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params
    data_stream.namespace: default
    use_output: default
    streams:
      - metricsets:
        - cpu
        # Dataset name must conform to the naming conventions for Elasticsearch indices, cannot contain dashes (-), and cannot exceed 100 bytes
        data_stream.dataset: system.cpu
      - metricsets:
        - memory
        data_stream.dataset: system.memory
      - metricsets:
        - network
        data_stream.dataset: system.network
      - metricsets:
        - filesystem
        data_stream.dataset: system.filesystem
      - metricsets:
        - process
filebeat.inputs:
- type: filestream
  id: cisb-jira-test
  paths:
    - /var/atlassian/application-data/jira/log/audit/*.log
  data_stream.dataset: jira.audit
  data_stream.namespace: default
  
secret_references: []
namespaces:
  - default

I have also created the index on KIBANA manually:

logs-elastic_agent.jira_audit_default

No Audit-Logs in ELK …

As I see only the User JIRA has permission to read the logs:

I will change it!

How can I limit the READ-Permission to a certain service? (Elastic-Agent)

I have addes the User Root to the Group JIRA and restarted the Agent, however nothing. New new data on ELK.

Perhaps I will have to create some field-parsing …

If there is no field-parsing at all, some raw logs should be seen in KIBANA, I estimate.

No idea whatsoever …

EI

Topic		Replies	Views
Filebeat unable to sent logs Beats filebeat	71	4008	August 21, 2018
Filebeat doesn't publish logs without "write" permission on index Beats elastic-stack-security , filebeat	6	790	May 3, 2023
Not Getting Logs in Elastic Stack Elasticsearch	20	3789	June 15, 2022
Datafeed [datafeed-packetbeat_dns_tunneling] cannot retrieve data because no index matches datafeed's indices [packetbeat-*] Kibana elastic-stack-machine-learning	16	551	July 10, 2023
Status=403): {"type":"security_exception","reason":"action [indices:data/write/bulk[s] Beats elastic-stack-security , metricbeat	9	7242	August 19, 2020

Configuring Permissions and Index in elastic-agent.yml

Related topics