Filebeat does not read new lines

kater · September 19, 2018, 2:13pm

Hello.
I'm currently using a 6.4 ELK stack and 6.4 Filebeat on a other server.

A squid is running and the access.log get new lines but Filebeat is not able to read it.
I even tried to "echo >>" the file but Filebeat just read nothing.

here is the filebeat conf

filebeat.inputs:
- type: log
  enabled: true
  paths:
    – /var/log/squid/access.log
output.logstash:
  hosts: ["10.137.200.18:5044"]
logging.level: debug

Filebeat load the input correctly

2018-09-19T15:31:01.031+0200    INFO    instance/beat.go:273    Setup Beat: filebeat; Version: 6.4.0
2018-09-19T15:31:01.031+0200    DEBUG   [beat]  instance/beat.go:290    Initializing output plugins
2018-09-19T15:31:01.031+0200    DEBUG   [processors]    processors/processor.go:66      Processors:
2018-09-19T15:31:01.034+0200    DEBUG   [publish]       pipeline/consumer.go:137        start pipeline event consumer
2018-09-19T15:31:01.034+0200    INFO    pipeline/module.go:98   Beat name: squid
2018-09-19T15:31:01.035+0200    INFO    instance/beat.go:367    filebeat start running.
2018-09-19T15:31:01.035+0200    DEBUG   [registrar]     registrar/registrar.go:114      Registry file set to: /var/lib/filebeat/registry
2018-09-19T15:31:01.036+0200    INFO    registrar/registrar.go:134      Loading registrar data from /var/lib/filebeat/registry
2018-09-19T15:31:01.036+0200    INFO    registrar/registrar.go:141      States Loaded from registrar: 0
2018-09-19T15:31:01.036+0200    WARN    beater/filebeat.go:371  Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2018-09-19T15:31:01.036+0200    INFO    crawler/crawler.go:72   Loading Inputs: 1
2018-09-19T15:31:01.036+0200    DEBUG   [processors]    processors/processor.go:66      Processors:
2018-09-19T15:31:01.037+0200    DEBUG   [input] log/config.go:201       recursive glob enabled
2018-09-19T15:31:01.037+0200    DEBUG   [input] log/input.go:147        exclude_files: []. Number of stats: 0
2018-09-19T15:31:01.037+0200    DEBUG   [input] log/input.go:168        input with previous states loaded: 0
**2018-09-19T15:31:01.037+0200    INFO    log/input.go:138        Configured paths: [/– /var/log/squid/access.log]**
2018-09-19T15:31:01.037+0200    INFO    input/input.go:114      Starting input of type: log; ID: 1805975221398277003
2018-09-19T15:31:01.037+0200    INFO    crawler/crawler.go:106  Loading and starting Inputs completed. Enabled inputs: 1
2018-09-19T15:31:01.038+0200    INFO    [monitoring]    log/log.go:114  Starting metrics logging every 30s
2018-09-19T15:31:01.038+0200    DEBUG   [registrar]     registrar/registrar.go:267      Starting Registrar
2018-09-19T15:31:01.038+0200    DEBUG   [input] log/input.go:174        Start next scan

But even if i add line to the file, filebeat does not seems to see something

2018-09-19T15:31:01.038+0200    DEBUG   [input] log/input.go:174        Start next scan
2018-09-19T15:31:01.039+0200    DEBUG   [input] log/input.go:195        input states cleaned up. Before: 0, After: 0, Pending: 0
2018-09-19T15:31:11.040+0200    DEBUG   [input] input/input.go:152      Run input
2018-09-19T15:31:11.040+0200    DEBUG   [input] log/input.go:174        Start next scan
2018-09-19T15:31:11.040+0200    DEBUG   [input] log/input.go:195        input states cleaned up. Before: 0, After: 0, Pending: 0
2018-09-19T15:31:21.042+0200    DEBUG   [input] input/input.go:152      Run input
2018-09-19T15:31:21.043+0200    DEBUG   [input] log/input.go:174        Start next scan
2018-09-19T15:31:21.043+0200    DEBUG   [input] log/input.go:195        input states cleaned up. Before: 0, After: 0, Pending: 0

Am i missing something ?
Thank in advance.

jsoriano · September 19, 2018, 4:19pm

Hi @kater and welcome

It looks like your configuration contains a symbol that looks like a hyphen but it is not. In the log you can see that this is taking this symbol as part of the path (Configured paths: [/– /var/log/squid/access.log]**).
Could you try to replace the hyphen before the path to be a normal hyphen (like the one on - type: log)?

kater · September 20, 2018, 7:22am

Thank you @jsoriano, it works ! I was sure this log line was weird looking

On vi theses hyphen are pretty similar :

system · October 18, 2018, 7:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeats can see new lines in file only after restart Beats docker , filebeat	1	394	September 9, 2021
Filebeat is not reading updated logfile Beats filebeat	6	1978	July 11, 2016
Filebeat not reading log files Beats filebeat	4	3090	April 24, 2020
Filebeats not harvesting new file Beats filebeat	5	2359	February 8, 2019
[Filebeat] Newly added lines don't send to a server Beats filebeat	3	851	June 12, 2019

Filebeat does not read new lines

Related topics