Filebeat does not send data to logstash

vassiliy.vins · December 1, 2022, 7:55pm

Hi!

here is my filebeat config

filebeat.inputs:
- type: syslog
  id: my-filestream-id
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/nginx/access*.log
    - /var/log/messages
    - /bar/log/secure
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["192.168.0.61:5044"]
  tls:
     certificate_authorities: ["/etc/ssl/logstash_frwrd.crt"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

this is my logstash config

input {
	beats {
		port => 5044
		ssl => true
		ssl_certificate => "/etc/ssl/logstash_frwrd.crt"
		ssl_key => "/etc/ssl/logstash-forwarder.key"
		}
}
filter {
	if [type] == "syslog" {
				grok {
					match=>{ "message" => "%{SYSLOGLINE}" }
                                     }
				date {
					match => [ "timestamp", "MMM d HH:mm:ss",  "MMM dd HH:mm:ss" ]
	     			     }
			      }
	}
output {
	elasticsearch {
			hosts=> ["localhost"]
			index=>"%{[@metadata][beat]}-%{+YYYY.MM.dd}"
		      }
	stdout {
		codec => rubydebug
       	       }
       }

I'm checking with tcpdump if packets are sent to remote logstash with
tcpdump dst 192.168.0.61 - no packages are sent
and I'm listening on port 5044 on host 192.168.0.61 with tcpdump -Xni ens33 port 5044 - no packages are coming

Can you tell me what is wrong with my filebeat config?

leandrojmp · December 1, 2022, 7:57pm

Do you have anything in filebeat logs?

You need to share the logs from filebeat.

vassiliy.vins · December 1, 2022, 8:05pm

that's what I can see

tail -f filebeat-20221201.ndjson  
{"log.level":"info","@timestamp":"2022-12-01T12:56:32.006-0700","log.origin":{"file.name":"instance/beat.go","file.line":708},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-01T12:56:32.006-0700","log.origin":{"file.name":"instance/beat.go","file.line":716},"message":"Beat ID: ffb5ad29-8928-4222-83fb-716e7f30846a","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-01T12:56:35.011-0700","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}

vassiliy.vins · December 1, 2022, 8:13pm

from jornalctl

Dec 01 13:09:30 fbeat filebeat[7796]: {"log.level":"info","@timestamp":"2022-12-01T13:09:30.051-0700","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":186},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40},"total":{"ticks":240,"value":240},"user":{"ticks":200}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"0d6df58d-f1b8-4882-8e8b-d11be7a4b027","uptime":{"ms":63078},"version":"8.5.2"},"memstats":{"gc_next":20875240,"memory_alloc":10354608,"memory_total":74655464,"rss":85393408},"runtime":{"goroutines":13}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.2,"15":0.36,"5":0.38,"norm":{"1":0.2,"15":0.36,"5":0.38}}}},"ecs.version":"1.6.0"}}
Dec 01 13:10:00 fbeat filebeat[7796]: {"log.level":"info","@timestamp":"2022-12-01T13:10:00.054-0700","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":186},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40},"total":{"ticks":250,"time":{"ms":10},"value":250},"user":{"ticks":210,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"0d6df58d-f1b8-4882-8e8b-d11be7a4b027","uptime":{"ms":93082},"version":"8.5.2"},"memstats":{"gc_next":20875240,"memory_alloc":10481696,"memory_total":74782552,"rss":85393408},"runtime":{"goroutines":13}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.12,"15":0.35,"5":0.34,"norm":{"1":0.12,"15":0.35,"5":0.34}}}},"ecs.version":"1.6.0"}}
Dec 01 13:10:30 fbeat filebeat[7796]: {"log.level":"info","@timestamp":"2022-12-01T13:10:30.058-0700","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":186},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":50,"time":{"ms":10}},"total":{"ticks":260,"time":{"ms":10},"value":260},"user":{"ticks":210}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"0d6df58d-f1b8-4882-8e8b-d11be7a4b027","uptime":{"ms":123078},"version":"8.5.2"},"memstats":{"gc_next":20875240,"memory_alloc":10690000,"memory_total":74990856,"rss":85393408},"runtime":{"goroutines":13}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.38,"15":0.36,"5":0.38,"norm":{"1":0.38,"15":0.36,"5":0.38}}}},"ecs.version":"1.6.0"}}

vassiliy.vins · December 1, 2022, 8:27pm

I can see now the packages are sent to logstash and received on the other side

How can I verify that logstash receves logs data? any logs, data storage on logstash side? or any storage in elasticsearch I should verify?

vassiliy.vins · December 1, 2022, 9:26pm

I believe we can close the thread as I can see now that logstash receives data from filebeat but not able to send data to elasticsearch. New topic will be opened

Sunile_Manjee · December 2, 2022, 8:23pm

what did you find was the issue where beats wasn't sending data to logstash?

system · December 30, 2022, 8:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat does not send data to logstash Beats filebeat	10	1409	July 2, 2018
Filebeat doesn't send data to logstash (?) OR logstash isn't receiving it (?) Beats filebeat	7	7334	April 23, 2019
Filebeat is running but not sending logs/data to logstash Beats filebeat	2	1019	September 4, 2019
Filebeat 6.5.0 does not send data to logstash 6.5.0 Beats filebeat	4	768	December 17, 2018
Can't ship logs with filebeat to logstash Beats filebeat	11	839	August 14, 2020

Filebeat does not send data to logstash

Related topics