Elasicsearch is not creating an index even there are no errors

frasmd · November 26, 2018, 12:38pm

I have installed Elasticstash 6.2.4 with one filebeat node and a node with elasticsearch, kibana and logstash on the same node. Now i am trying to send logs of the a server using filebeat to logstash using the below config file located in /etc/logstash/conf.d

input {
  beats {
    port => "5044"
    host => "xxxxxxxx"
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
output {
  elasticsearch { hosts => ["xxxxxxxx:9200"]
    hosts => "xxxxxxxxx:9200"
    user => "elastic"
    password => "changeme"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

I am getting no errors in any of the service logs and filebeat is also sending logs to my logstash. But i am not able to see any indexes getting created by elasticsearch

http://xxxxxxxxx:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

Below are my logstash logs and

[INFO ] 2018-11-26 06:24:47.959 [[main]-pipeline-manager] beats - Beats inputs: Starting input listener {:address=>"10.1.20.140:5044"}
[INFO ] 2018-11-26 06:24:48.025 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x2cb14725@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 sleep>"}
[INFO ] 2018-11-26 06:24:48.031 [[main]<beats] Server - Starting server on port: 5044
[INFO ] 2018-11-26 06:24:48.047 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}

filebeat logs

2018-11-26T12:29:20.164Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":20},"total":{"ticks":20,"time":36,"value":20},"user":{"ticks":10,"time":16}},"info":{"ephemeral_id":"58504565-c112-4c4e-81c8-f1d29149bbf8","uptime":{"ms":240008}},"memstats":{"gc_next":4194304,"memory_alloc":1624952,"memory_total":4349504}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":16.88,"15":17.41,"5":17.2,"norm":{"1":2.11,"15":2.1763,"5":2.15}}}}}}
2018-11-26T12:29:50.165Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":20,"time":22},"total":{"ticks":30,"time":38,"value":30},"user":{"ticks":10,"time":16}},"info":{"ephemeral_id":"58504565-c112-4c4e-81c8-f1d29149bbf8","uptime":{"ms":270007}},"memstats":{"gc_next":4194304,"memory_alloc":1732568,"memory_total":4457120}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":17.26,"15":17.42,"5":17.26,"norm":{"1":2.1575,"15":2.1775,"5":2.1575}}}}}}

Something wrong with the logstash conf file? Am i missing something?

Eniqmatic · November 26, 2018, 1:00pm

Why do you have two hosts fields in the output? Also remove the "document_type" parameter as it is depreciated, and try changing the index name to something simpler just now like:

index => "filebeat-%{+YYYY.MM.dd}"

Also I assume you have a paid subscription since you are using user and password? If so are you using https in the hosts output because x-pack now requires TLS by default.

Christian_Dahlqvist · November 26, 2018, 1:05pm

How did you determine that Filebeat is actually able to send data to Logstash?

frasmd · November 26, 2018, 7:11pm

Yes changed them still index not created

input {
  beats {
    port => "5044"
    host => "10.1.20.140"
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
output {
  elasticsearch { hosts => ["10.1.20.140:9200"]
    manage_template => false
    index => "filebeat-%{+YYYY.MM.dd}"
  }
}

still anything i am missing?

frasmd · November 26, 2018, 7:13pm

I am gettting the file beat logs sending to the logstash like below

2018-11-26T12:29:20.164Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":20},"total":{"ticks":20,"time":36,"value":20},"user":{"ticks":10,"time":16}},"info":{"ephemeral_id":"58504565-c112-4c4e-81c8-f1d29149bbf8","uptime":{"ms":240008}},"memstats":{"gc_next":4194304,"memory_alloc":1624952,"memory_total":4349504}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":16.88,"15":17.41,"5":17.2,"norm":{"1":2.11,"15":2.1763,"5":2.15}}}}}}
2018-11-26T12:29:50.165Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":20,"time":22},"total":{"ticks":30,"time":38,"value":30},"user":{"ticks":10,"time":16}},"info":{"ephemeral_id":"58504565-c112-4c4e-81c8-f1d29149bbf8","uptime":{"ms":270007}},"memstats":{"gc_next":4194304,"memory_alloc":1732568,"memory_total":4457120}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":17.26,"15":17.42,"5":17.26,"norm":{"1":2.1575,"15":2.1775,"5":2.1575}}}}}}

Dont these meant that?

Christian_Dahlqvist · November 26, 2018, 7:19pm

That looks like monitoring metrics to me, and seems to state no data has been sent.

frasmd · November 26, 2018, 8:36pm

Ok!! I will check on the filebeat server config. But before that index should get created right?

Christian_Dahlqvist · November 26, 2018, 8:37pm

The index usually gets create the first time data is indexed into it, so if no date is reading Logstash no idea will be created.

frasmd · November 26, 2018, 8:43pm

Below is the filebeat config i am using on the filebeat node

#=========================== Filebeat prospectors =============================

filebeat.prospectors:

# Each - is a prospector. Most options can be set at the prospector level, so
# you can use different prospectors for various configurations.
# Below are the prospector specific configurations.

- type: log

  # Change to true to enable this prospector configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/rhsm/*.log
    - /var/log/filebeat/*
    - /var/log/secure
    - /var/log/messages

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["10.1.20.140:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  template.name: "filebeat"
  template.path: "filebeat.template.json"
  template.overwrite: false
  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

service is also running and there are no errors in the filebeat logs and this node is able to ping the elasticsearch/Logstash node

frasmd · November 26, 2018, 8:45pm

This is what i am getting when i restart the filebeat service on the filebeat node

2018-11-26T20:44:09.940Z        INFO    registrar/registrar.go:110      Loading registrar data from /var/lib/filebeat/registry
2018-11-26T20:44:09.941Z        INFO    [monitoring]    log/log.go:97   Starting metrics logging every 30s
2018-11-26T20:44:09.941Z        INFO    registrar/registrar.go:121      States Loaded from registrar: 80
2018-11-26T20:44:09.941Z        WARN    beater/filebeat.go:261  Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2018-11-26T20:44:09.941Z        INFO    crawler/crawler.go:48   Loading Prospectors: 1
2018-11-26T20:44:09.941Z        INFO    crawler/crawler.go:82   Loading and starting Prospectors completed. Enabled prospectors: 0
2018-11-26T20:44:09.941Z        INFO    cfgfile/reload.go:127   Config reloader started
2018-11-26T20:44:09.941Z        INFO    cfgfile/reload.go:219   Loading of config files completed.
2018-11-26T20:44:39.943Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":12},"total":{"ticks":10,"time":18,"value":10},"user":{"ticks":0,"time":6}},"info":{"ephemeral_id":"a18e08f9-43d2-4af2-97d9-a578de482e50","uptime":{"ms":30007}},"memstats":{"gc_next":4473924,"memory_alloc":2933656,"memory_total":2933656,"rss":11927552}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"type":"logstash"},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":8},"load":{"1":17.87,"15":17.64,"5":17.72,"norm":{"1":2.2338,"15":2.205,"5":2.215}}}}}}

Christian_Dahlqvist · November 26, 2018, 8:49pm

It looks like you do not have any enabled prospector, which could explain why no logs are being collected.

frasmd · November 26, 2018, 9:02pm

Bang on. That worked. Now i can go ahead and integrate with x-pack for ML. Thanks a lot for the help

frasmd · November 26, 2018, 9:14pm

One thing, if i want to run logstash using the custom config file, i am using

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf

If i run as demon it's doesnt take the file, do i need to mention it anywhere in my config files?

system · December 24, 2018, 9:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not creating (some?) indexes in ES, no error in logs Logstash	4	9795	October 5, 2017
How to configure indexes in logstash Elasticsearch	2	599	June 23, 2019
No indexes created in Elasticsearch Elasticsearch	14	1967	February 11, 2019
The index is not created and no log is recorded Elasticsearch	6	789	July 5, 2017
No data moving into elasticsearch Beats filebeat	22	6589	May 16, 2018

Elasicsearch is not creating an index even there are no errors

Related topics