Data loss when sending logs to Kibana through Filebeat

xyu · October 6, 2022, 1:42am

Hi, I am new to elastic stalk and currently I am facing some difficulties to read all the logs in JSON format.

{"code":"28000","file":"auth.c","length":164,"level":"error","line":"496","message":"no entry for host","name":"error","timestamp":"2022-10-05 08:40:14.308"}

All the lines started with "code":"28000" is not able to send to Kibana. Does anyone know what is the issue?

{"code":"SELF_SIGNED_CERT_IN_CHAIN","level":"error","message":"self signed certificate","timestamp":"2022-10-05 08:40:39.908"}

However, the above line is able to be sent to Kibana.

Thank you for helping

warkolm · October 6, 2022, 2:40am

Welcome to our community!

Are those what you are trying to send to Elasticsearch?
Is there an error when you are sending these you can share?

xyu · October 6, 2022, 2:49am

No, there is no error message but when I check the number of hits in data view, it does not vary with the number of lines I have in a log

warkolm · October 6, 2022, 3:02am

You will need to share more information then please. Things like configs, logs, how are you comparing the number of logs to what is in Elasticsearch.

Rios · October 6, 2022, 11:23am

{"code":"SELF_SIGNED_CERT_IN_CHAIN","level":"error","message":"self signed certificate","timestamp":"2022-10-05 08:40:39.908"}

Most likely you have selfsigned certs. Try with this if you are sending directly to Elasticsearch:

output.elasticsearch.verification_mode: "none"

Default mode is full. Documentation is here

If is working then set certificate_authorities on both side and set full

leandrojmp · October 6, 2022, 12:31pm

This does not seem to be an error from filebeat, but the log message the OP is trying to send.

leandrojmp · October 6, 2022, 12:33pm

Please share your filebeat.yml file and also check the mapping of your index, it may be a mapping issue.

In this message:

{"code":"28000","file":"auth.c","length":164,"level":"error","line":"496","message":"no entry for host","name":"error","timestamp":"2022-10-05 08:40:14.308"}

You have some extra fields, maybe one of them have a different mapping.

Rios · October 6, 2022, 1:59pm

Might be. Well until we see filebeat.yml and logs, it's hard to know.

system · November 3, 2022, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.