Elastic-Agent - filebeat and metricbeat - Error Log help

Elastic Security Endpoint Security
1

I have ElasticSearch and Kibana running as dockers I documented it here: https://github.com/cwobuzz/Setting-up-Docker-Elastic-Kibana-Running-Sysmon-And-Agent/blob/master/.README.md

My Elastic-Agent is pushing Endpoint security logs, but Auditbeat, Filebeat and Winlogbeat are all showing 0 logs.

Metricbeat Monitor Log:

{"log.level":"info","@timestamp":"2021-02-11T13:00:09.510-0700","log.origin":{"file.name":"module/wrapper.go","file.line":259},"message":"Error fetching data for metricset beat.state: error making http request: Get \"http://npipe/state\": open \\\\.\\pipe\\default-endpoint-security: The system cannot find the file specified.","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2021-02-11T13:00:09.510-0700","log.origin":{"file.name":"module/wrapper.go","file.line":259},"message":"Error fetching data for metricset beat.stats: error making http request: Get \"http://npipe/stats\": open \\\\.\\pipe\\default-endpoint-security: The system cannot find the file specified.","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2021-02-11T13:00:09.510-0700","log.origin":{"file.name":"module/wrapper.go","file.line":259},"message":"Error fetching data for metricset http.json: error making http request: Get \"http://npipe/stats\": open \\\\.\\pipe\\default-endpoint-security: The system cannot find the file specified.","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2021-02-11T13:00:18.690-0700","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":144},"message":"Non-zero metrics in the last 30s","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":16078,"time":{"ms":94}},"total":{"ticks":25984,"time":{"ms":157},"value":25984},"user":{"ticks":9906,"time":{"ms":63}}},"handles":{"open":280},"info":{"ephemeral_id":"7c59624d-7982-49f4-aea7-9026c17c1816","uptime":{"ms":11191727}},"memstats":{"gc_next":17784784,"memory_alloc":9909672,"memory_total":776768968,"rss":59359232},"runtime":{"goroutines":92}},"libbeat":{"config":{"module":{"running":7}},"output":{"events":{"acked":30,"active":0,"batches":3,"total":30},"read":{"bytes":8147},"write":{"bytes":64007}},"pipeline":{"clients":10,"events":{"active":0,"published":30,"total":30},"queue":{"acked":30}}},"metricbeat":{"beat":{"state":{"events":9,"failures":3,"success":6},"stats":{"events":9,"failures":3,"success":6}},"http":{"json":{"events":12,"failures":3,"success":9}}}},"ecs.version":"1.6.0"}}

Filebeat Monitor Log

{"log.level":"info","@timestamp":"2021-02-11T13:00:19.011-0700","log.origin":{"file.name":"log/harvester.go","file.line":302},"message":"Harvester started for file: C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-84c4d4\\logs\\default\\metricbeat-json.log","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-02-11T13:00:19.011-0700","log.logger":"jsonhelper","log.origin":{"file.name":"jsontransform/jsonhelper.go","file.line":62},"message":"JSON: Won't overwrite @timestamp because of parsing error: parsing time \"2021-02-11T13:00:13.850-0700\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"-0700\" as \"Z07:00\"","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2021-02-11T13:00:19.011-0700","log.origin":{"file.name":"log/harvester.go","file.line":302},"message":"Harvester started for file: C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-84c4d4\\logs\\default\\filebeat-json.log","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-02-11T13:00:19.011-0700","log.logger":"jsonhelper","log.origin":{"file.name":"jsontransform/jsonhelper.go","file.line":62},"message":"JSON: Won't overwrite @timestamp because of parsing error: parsing time \"2021-02-11T13:00:17.285-0700\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"-0700\" as \"Z07:00\"","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-02-11T13:00:44.034-0700","log.logger":"jsonhelper","log.origin":{"file.name":"jsontransform/jsonhelper.go","file.line":62},"message":"JSON: Won't overwrite @timestamp because of parsing error: parsing time \"2021-02-11T13:00:43.862-0700\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"-0700\" as \"Z07:00\"","ecs.version":"1.6.0"}

Agent Watcher Log

{"log.level":"error","@timestamp":"2021-02-11T09:53:35.251-0700","log.origin":{"file.name":"cmd/watch.go","file.line":60},"message":"failed to load markeropen C:\\Program Files\\Elastic\\Agent\\data\\.update-marker: The system cannot find the file specified.","ecs.version":"1.6.0"}
2

i think we're hitting this bug of filebeat here Allow to overwrite @timestamp with different format · Issue #11273 · elastic/beats · GitHub. i will check what we can do about that and test possible worarounds

3

I created issue we can track [Ingest Manager] Unable to collect logs on machines with timezone set · Issue #24229 · elastic/beats · GitHub

4

Thanks! I have not tested this, but it seems like you need to set your host computer to UTC for elastic agent to ingest it's beats.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.