Filebeat - Dashboard system not working

dpachot · June 19, 2018, 7:16am

Hello,

Elasticsearch Version 6.2.4
Filebeat Client 6.3.0

I send logs from filebeat's client under Centos 7 with output to Elasticsearch.
I setup the 3 node cluster with geoip, user-agent plugin and reboot each node
Two path in filebeat.yml was configured
/var/log/secure
/var/log/messages

Module system is enabled on the client with command : filebeat modules list
INFO log/harvester.go:228 Harvester started for file: /var/log/secure
INFO log/harvester.go:228 Harvester started for file: /var/log/messages

Kibana display my log in discover's page, but in dashboard's page system nothing ...

Could you help me ?

Thank for answer

David

dpachot · June 19, 2018, 8:05am

So i disable module with cmd line : filebeat modules disable system

To re-enable in config file :
- module: system
# Syslog
syslog:
enabled: true
auth:
enabled: true
i remove all line for : filebeat.inputs.

Now i have only monitoring INFO instance/beat.go:607 INFO instance/beat.go:315 INFO registrar/registrar.go:112 INFO registrar/registrar.go:123 INFO crawler/crawler.go:48 INFO log/input.go:111 INFO input/input.go:87 INFO log/harvester.go:228 INFO log/input.go:111 INFO input/input.go:87 INFO crawler/crawler.go:82 INFO cfgfile/reload.go:122 INFO cfgfile/reload.go:214 INFO log/harvester.go:228 INFO elasticsearch/client.go:690 INFO elasticsearch/client.go:690 INFO template/load.go:73 INFO elasticsearch/client.go:690 INFO template/load.go:73 INFO template/load.go:73 INFO. but nothing other in my filebeat.log
Kibana dashboards successfully loaded.
filebeat start running.
Loading registrar data from /var/lib/filebeat/registry
States Loaded from registrar: 18
Loading Inputs: 2
Configured paths: [/var/log/auth.log* /var/log/secure*]
Starting input of type: log; ID: 601603990474112990
Harvester started for file: /var/log/secure
Configured paths: [/var/log/messages* /var/log/syslog*]
Starting input of type: log; ID: 11041985141352213301
Loading and starting Inputs completed. Enabled inputs: 2
Config reloader started
Loading of config files completed.
Harvester started for file: /var/log/messages
Connected to Elasticsearch version 6.2.4
Connected to Elasticsearch version 6.2.4
Template already exists and will not be overwritten.
Connected to Elasticsearch version 6.2.4
Template already exists and will not be overwritten.
Template already exists and will not be overwritten.

if during 5 minutes no change on /var/log/secure and messages. filebeat.log give me :
File is inactive: /var/log/secure. Closing because close_inactive of 5m0s reached.
File is inactive: /var/log/messages. Closing because close_inactive of 5m0s reached.

if i try a bad ssh login ->
Harvester started for file: /var/log/messages
Harvester started for file: /var/log/secure

I cant see what i missed

harshbajaj16 · June 19, 2018, 9:10am

HI,

Please enable below configuration in filebeat.yml file if you enable the module in config file.

#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag.
dashboards.enabled: true

It will enable the all default dashboards in kibana.

Please share debug level log of filebeat if you still face any issue in this regards.

Regards,

dpachot · June 19, 2018, 9:16am

Thx for reply
I already have the default dashboard and this value to true in my YML.

With Centos 7 i successfully have syslog dashboard working but for ssh login dashboard dont work with Centos 7.

I see in Visualize-> SSH login attempts [Filebeat System] the name system.auth.ssh.event. But nothing from my log is indexed with this value.

I have my ssh login in this value : system.syslog.hostname system.syslog.program system.syslog.message

If i put in module auth logs a custom path : /var/log/secure
i have this error -> Exiting: Error getting config for fileset system/auth: Error interpreting the template of the input: template: text:3:22: executing "text" at <.paths>

I think the problem is here ...

maybe template cannot interprete a centos SSH log.

harshbajaj16 · June 19, 2018, 9:25am

Ohk i understood,

could you please share the a sample log and also share the kibana o/p with logs like below.

Yes that's what i want to know that template is parsing properly or not and same you can in kibana discover page for a particular log and after that we can identify the issue.

Please share so that we can identify.

Regads,

dpachot · June 19, 2018, 9:35am

Here the result of a SSH Login Failed. Source from /var/log/secure but put in syslog. I dont have an auht.log in Centos 7.

dpachot · June 19, 2018, 9:53am

when i put in auth module custom path like that :
var.paths: ["/var/log/secure"]

it was good !!!
it take time analyse index filebeat* and now my dashboard ssh login works

thx for support

harshbajaj16 · June 19, 2018, 9:53am

it seems ok your fields are parsing properly.

Have you changed the time in kibana like "This week", "Last 15 minutes" etc.
Select "This Week" or "Month" an try.

your kibana logs are ok it should be visible in dashboard.

Regards,

dpachot · June 19, 2018, 9:55am

it's ok

Thx

dpachot · June 19, 2018, 12:53pm

in fact i have +2 hours in my @timestamp log for SSH Login dahsboard.

@timestamp June 19th 2018, 14:07:20.000
t system.auth.timestamp Jun 19 12:07:20

My 3 node ELK have : Tue Jun 19 14:48:12 CEST 2018
My Beat CLient : Tue Jun 19 14:48:18 CEST 2018

How to force time or timezone to collect log at the same time ?

thx

dpachot · June 19, 2018, 1:47pm

ok i change the timezone in file pipeline.json.
and delete curl -XDELETE http://elasticsearch:9200/_ingest/pipeline/filebeat-*

it's ok now

system · July 17, 2018, 1:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.