I am trying to send logs to localhost 9200. Once i can gather local logs, I can work on remote logs. In theory.
My current problem from /var/log/syslog Dec 19 20:56:22 ub2204elk filebeat[1432]: {"log.level":"error","@timestamp":"2022-12-19T20:56:22.075Z","log.origin":{"file.name":"instance/beat.go","file.line":1057},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module elasticsearch is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.5/filebeat-module-system.html
# https://logit.io/sources/configure/filebeat-system/
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths: "/var/log/syslog"
# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths: "/var/log/auth.log"
#I commented the paths. Says the OS will use the defaults.
It looks like you have the elasticsearch filebeat module enabled (modules.d/elasticsearch.yml instead of modules.d/elasticsearch.yml.disabled) but don't have any of the filesets in the elasticsearch module enabled.
cat /usr/bin/filebeat
#!/usr/bin/env bash
# Script to run Filebeat in foreground with the same path settings that
# the init script / systemd unit file would do.
umask 0027
exec /usr/share/filebeat/bin/filebeat \
--path.home /usr/share/filebeat \
--path.config /etc/filebeat \
--path.data /var/lib/filebeat \
--path.logs /var/log/filebeat \
"$@"
That isn't so dramatic. Back to examining the original error message. And why it won't load modules.
Dec 19 20:56:22 ub2204elk filebeat[1432]: {"log.level":"error","@timestamp":"2022-12-19T20:56:22.075Z","log.origin":{"file.name":"instance/beat.go","file.line":1057},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module elasticsearch is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
Right. The fact that you have a file called /etc/filebeat/modules.d/elasticsearch.yml, means that the elasticsearch module is enabled. If you rename the file to /etc/filebeat/modules.d/elasticsearch.yml.disabled that will disable the elasticsearch module.
The error is because you have the elasticsearch module enabled, but haven't enabled any filesets in the module.
That is more of an architectural decision. For filebeat it is more common to install filebeat on each host. You can setup filebeat to listen for incoming syslog messages (Syslog input | Filebeat Reference [8.5] | Elastic) but it is more common to use Logstash for that use case.
I don't suppose you have a linky to installing and configuring filebeats on the remote hosts (servers to be monitored) I'm kinda confused right now.
With tcpdump running on both elk server and remote host I can see the exchange of data on the specified port (of 10514) during a log write to the remote host. It looks like good communication, but, nothing gets written to kibana | Observability | Logs | Stream. Is this the correct place? Is it being filtered out?)
I put
# FOR remote rsyslog
filebeat.inputs:
- type: syslog
format: auto
protocol.unix:
host: "localhost:10514"
into /etc/filebeat/filebeat.yml on the elk server.
on the remote guy in /etc/rsyslog.d/70-output.conf *.* @@192.168.1.205:10514;json-template (
.205 is the elk server)
filebeat is not installed on remote. Is that the way I need to go?
My solution was to send remote rsyslog to elk's rsyslog, and then file beats picked up the logs locally. I would like to see these logs encrypted at some point, but I'm satisfied with this solution for now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.