Elasticsearch didn't show index from logstash-filebeat


#1

Hi I'm student, I'm new to ELK, I would like to ask about my configurations, because the elasticsearch didn't show the indices

log from server SOA -> server ELK -> logstash -> elasticsearch

I'm using filebeat 6.4.2
the config on filebeat.yml:

#=========================== Filebeat inputs =============================

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

  • type: log
    enabled: true
    paths:
    • /SOADEV/default/logs/server.log
      fields_under_root: true
      fields.task: server-soa

#and then I want to send filebeat to logstash of ELK server

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["172.16.4.20:5044"]
ssl:certificate_authorities: ["/etc/filebeat/logstash.crt"]

for logstash configuration or soatest.conf
input {
beats{
port => 5044
}
}

filter{
if [fields.task] == "server-soa"{
grok {
match => { "message" => [ "%{TIMESTAMP_ISO8601:timestamp} %{WORD:timezone} [%{DATA:isp}] %{WORD:status} | [%{DATA:externalID}] | [%{DATA:httpdo}] | [User : %{WORD:user}] | [IP : %{IP:IPclient}] | [Server : %{DATA:hostname}] | [%{DATESTAMP:timeend}] | [%{DATA:info}]", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:timezone} [%{DATA:isp}] %{WORD:status} | [%{DATA:externalID}] | [%{DATA:httpdo}] | [User : %{WORD:user}] | [%{SECOND:second} Sec] | [%{DATA:info}]"
]}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
}
}

output{
if [fields.task] == "server-soa" {
elasticsearch{
hosts => ["localhost:9200"]
index => "%{[fields.task]}-%{+YYYY.MM.dd}"
manage_template => false
}}
}

I made and already check the grok pattern and log, it's correct by grok debugger in dev tools
thankyou very much. I hope anyone can tell me and fix whats wrong :slight_smile:


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.