Creating Dashboard for apache access logs using Filebeat

kriti_dabas · June 1, 2023, 5:38am

ERROR [publisher_pipeline_output] pipeline/output.go:180 failed to publish events: 500 Internal Server Error: {"error":{"root_cause":[{"type":"illegal_state_exception","reason":"There are no ingest nodes in this cluster, unable to forward request to an ingest node."}],"type":"illegal_state_exception","reason":"There are no ingest nodes in this cluster, unable to forward request to an ingest node."},"status":500}

how to fix this error now my data is also not coming on kibana. i got this error by running this command sudo filebeat -e -c /etc/filebeat/filebeat.yml

stephenb · June 1, 2023, 6:07am

Well there we go!!!! Now we are getting somewhere finally

Looks like Your elasticsearch is not set up correctly...

The error indicates there is no ingest node role, the ingest node role is required to run ingest pipelines... so that is why your ingest pipeline won't run and why your data will not be parsed nor indexed into elasticsearch. That error has probably been in the logs all along... I made the bad assumption that you were actually looking at the logs... apologies I should have asked you

I'm going to have you run some commands so we can understand what's going on.

Go To Kibana -> Dev Tools and run

And show me the complete output of this ... not part of it all of it... you are going to probably edit the IPs if you do just be consistent if you make the all xxx's I may not be able to help

GET _cat/nodes?v

Also please reconfirm the output section filebeat.yml

output.elasticsearch:
  hosts: ["https://#.#.#.#:9200", "https://#.#.#.#:9200"]
  #index: "mylogs-%{+yyyy.MM.dd}"
  username: "manifest"
  password: "manifest"
  ssl.enabled: true
  ssl.verification_mode: none
  #ssl.certificate_authorities:

If you anonymize the IPs make sure the match like

1.2.3.4 in the _cat/node match 1.2.3.4 in the output.elasticsearch section

In short whoever setup your elasticsearch changed made some configurations that removed the ability to run the ingest pipelines. By Default Ingest Node / Pipelines are enable so this was a change that someone changed / set.

kriti_dabas · June 1, 2023, 6:27am

GET _cat/nodes?v
Output -

ip                    heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
9.9.9.9                         14          97   8    0.27    0.23     0.26 hs        -      ec1
1.1.1.1                         11          92   1    0.06    0.03     0.01 m         -      em2
10.10.10.10                 70          97   1    0.07    0.04     0.05 hs        -      ec2
2.2.2.2                         39          95   8    0.31    0.59     0.47 m         *      em3
7.7.7.7                         54          90   1    0.00    0.00     0.00 hs        -      ed5
6.6.6.6                         47          98   7    0.15    0.11     0.12 hs        -      ed4

output section of elasticsearch---

output.elasticsearch:
   # Array of hosts to connect to.
   hosts: ["https://6.6.6.6:9200"]
   #index: "mylogs-%{+yyyy.MM.dd}"
   #setup.dashboards.enabled: true
   # pipeline: "accesslogs"
   username: "manifest"
   password: "manifest"
   ssl.enabled: true
   ssl.verification_mode: "none"
   #ssl.certificate_authorities:
   #       - /etc/filebeat/ca/ca.crt

  # Protocol - either `http` (default) or `https`.
   protocol: "https"

kriti_dabas · June 1, 2023, 6:30am

Two pipelines are shown under ingest pipeline on kibana UI by the name of filebeat :-

filebeat-7.17.9-apache-access-pipeline
filebeat-7.17.9-apache-error-pipeline
and in elasticsearch configuration ingest has been set up as false

stephenb · June 1, 2023, 7:00am

So the good news is we found your issue.

The not-so-good news is that this was hard to find because whoever set up your elasticsearch cluster did not set ingest node roles which is highly unusual (perhaps just a misunderstanding) NONE of our integration that use pipelines would work, that is ~95% of them. No Custom Ingest Pipeline would work either which removes a major capability from elasticsearch... not a best practice for sure.

With No Nodes with ingest role, ingest pipeline can not / will not work, ingest pipeline can not be executed and thus data will NOT be ingested.

You do NOT have to have separate ingest nodes, that role can run on the data nodes unless you have some extreme conditions which I suspect you do not.

Explanation:

node.role, r, role, nodeRole

(Default) Roles of the node. Returned values include c (cold node), d (data node), f (frozen node), h (hot node), i (ingest node), l (machine learning node), m (master-eligible node), r (remote cluster client node), s (content node), t (transform node), v (voting-only node), w (warm node), and - (coordinating node only).

So looking at your _cat/nodes

You have 4 data nodes for explanation see here

ip                    heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
9.9.9.9                         14          97   8    0.27    0.23     0.26 hs        -      ec1
10.10.10.10                     70          97   1    0.07    0.04     0.05 hs        -      ec2
7.7.7.7                         54          90   1    0.00    0.00     0.00 hs        -      ed5
6.6.6.6                         47          98   7    0.15    0.11     0.12 hs        -      ed4

So when these nodes were set up they were set up with h=hot and s=content ONLY which is good BUT they did not include ingest (at least) and transform (which is good to have)

No Ingest Role, No Ingest Pipeline Will Work, Apache Module nor Any PIpeline will work

Quick look at my data node

ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.44.3.133           58          99  36    1.83    1.86     1.71 hist    -      instance-0000000001
10.44.2.186           42          94  33    1.91    2.43     2.52 hist    *      instance-0000000000

Your nodes should probably have at least these roles

hist
h=hot
i=ingest
s=content
t=transform

Which translates in the elasticsearch.yml file see Here to read about node roles

Today on those data nodes it will look like

node.roles: [ data_hot, data_content ]

But it should look like the following (transform is a good role as you might want to use it in the future and it works with basic license.
node.roles: [ data_hot, data_content, ingest, transform]

THIS is your ISSUE.

You need to get this fixed... no other way around this!

Then once the elasticsearch is fixed, if you go all the way back to the simple setup with the apache.yml and the file input turned of etc.. etc. just follow the quickstart it should all work.

kriti_dabas · June 1, 2023, 7:01am

when i disable my input no logs are there in kibana ui and other things are seen on UI like index policy and dashboard by the name of filebeat. and at last when i ran filebeat setup -e it says created ingest pipeline

output of filebeat setup -e

INFO    cfgfile/reload.go:262   Loading of config files completed.    
INFO    [modules]       fileset/pipelines.go:133        Elasticsearch pipeline loaded.{"pipeline": "filebeat-7.17.9-apache-access-pipeline"}
INFO    [modules]       fileset/pipelines.go:133        Elasticsearch pipeline loaded.{"pipeline": "filebeat-7.17.9-apache-error-pipeline"}
Loaded Ingest pipelines

Christian_Dahlqvist · June 1, 2023, 7:04am

The ingest pipeline may have been created, but you do not have any nodes that can actually run them...

stephenb · June 1, 2023, 7:05am

@kriti_dabas You need to trust me (and as you can see @Christian_Dahlqvist who actually has MORE experience than me) on this you CAN create ingest pipelines BUT they WILL NOT RUN.... sorry that is confusing but it is what it is...

@kriti_dabas If you do not fix elasticsearch node roles, ingest pipelines will NEVER EXECUTE...

you can load / setup ingest pipelines up all .... day.... long... but they will NEVER run

You can take my 5 years of experience word for it or you can continue to struggle

Your _cat/node show you will not be able to execute ingest pipeline which BTW is EXACTLY what the error says.

kriti_dabas · June 1, 2023, 7:06am

okey

kriti_dabas · June 1, 2023, 7:07am

thanks

kriti_dabas · June 1, 2023, 7:11am

thankyou so much for your insights , kindly guide me further on how to do this ?
and one thing more I have another stream of logs on staging will it be affected if i do changes for apache access logs?

stephenb · June 1, 2023, 7:15am

Open a new thread on How to Set / Change Node Roles on an existing cluster.

Share you elasticsearch.yml and reference the changes you need to make.

I showed you the documentation

I gave you the new settings...

You will need to do a rolling restart of the nodes and apply the changes to the data nodes.

Here are the docs ... I will not add more to this thread

stephenb · June 1, 2023, 7:23am

I do not know what you mean by staging .. same cluster....different cluster unclear

BUT changing node roles that we are describing does not affect current indices, and should not affect ingest... unless you then introduce ingest pipelines

Nice thing about staging that is where you test

(I lied I added 1 more post )

kriti_dabas · June 1, 2023, 8:48am

Thankyou for all the help. I will get back to you after applying all the changes.

system · June 29, 2023, 8:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.