Filebeat error no data coming to kibana

Configure filebeat as indicated in the kibana integrations with the following steps:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-amd64.deb
sudo dpkg -i filebeat-8.6.2-amd64.deb

(modify these sections in /etc/filebeat/filebeat.yml)

output.elasticsearch:
  hosts: ["<es_url>"]
  username: "elastic"
  password: "<password>"
  # If using Elasticsearch's default certificate
  ssl.ca_trusted_fingerprint: "<es cert fingerprint>"
setup.kibana:
  host: "<kibana_url>"


filebeat modules enable activemq

filebeat setup
service filebeat start

observed that the filebeat-* index was created but it has no information

image1357×391 29.3 KB

The connection is established correctly

image973×79 2.83 KB

service filebeat status without errors

Mar 19 22:22:02 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:22:02.692-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":420,"time":{"ms":10}},"total":{"ticks":1060,"time":{"ms":10},"value":1060},"user":{"ticks":640}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2013100},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":9049240,"memory_total":64398416,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.2,"15":0.29,"5":0.25,"norm":{"1":0.05,"15":0.0725,"5":0.0625}}}},"ecs.version":"1.6.0"}}
Mar 19 22:22:32 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:22:32.693-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":430,"time":{"ms":10}},"total":{"ticks":1070,"time":{"ms":10},"value":1070},"user":{"ticks":640}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2043099},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":9232032,"memory_total":64581208,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.2,"15":0.29,"5":0.24,"norm":{"1":0.05,"15":0.0725,"5":0.06}}}},"ecs.version":"1.6.0"}}
Mar 19 22:23:02 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:23:02.693-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":430},"total":{"ticks":1080,"time":{"ms":10},"value":1080},"user":{"ticks":650,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2073101},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":8687192,"memory_total":64752856,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.12,"15":0.27,"5":0.22,"norm":{"1":0.03,"15":0.0675,"5":0.055}}}},"ecs.version":"1.6.0"}}
Mar 19 22:23:32 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:23:32.694-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":440,"time":{"ms":10}},"total":{"ticks":1100,"time":{"ms":20},"value":1100},"user":{"ticks":660,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2103101},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":8838968,"memory_total":64904632,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.43,"15":0.29,"5":0.28,"norm":{"1":0.1075,"15":0.0725,"5":0.07}}}},"ecs.version":"1.6.0"}}
Mar 19 22:24:02 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:24:02.694-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":440},"total":{"ticks":1100,"value":1100},"user":{"ticks":660}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2133102},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":9049800,"memory_total":65115464,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.47,"15":0.3,"5":0.3,"norm":{"1":0.1175,"15":0.075,"5":0.075}}}},"ecs.version":"1.6.0"}}
Mar 19 22:24:32 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:24:32.693-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":440},"total":{"ticks":1110,"time":{"ms":10},"value":1110},"user":{"ticks":670,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2163100},"version":"8.6.2"},"memstats":{"gc_next":17907720,"memory_alloc":9282128,"memory_total":65347792,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.28,"15":0.29,"5":0.27,"norm":{"1":0.07,"15":0.0725,"5":0.0675}}}},"ecs.version":"1.6.0"}}
Mar 19 22:25:02 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:25:02.691-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":460,"time":{"ms":20}},"total":{"ticks":1140,"time":{"ms":30},"value":1140},"user":{"ticks":680,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2193100},"version":"8.6.2"},"memstats":{"gc_next":17908744,"memory_alloc":8700512,"memory_total":65485824,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.51,"15":0.3,"5":0.32,"norm":{"1":0.1275,"15":0.075,"5":0.08}}}},"ecs.version":"1.6.0"}}
Mar 19 22:25:32 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:25:32.692-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":460},"total":{"ticks":1140,"value":1140},"user":{"ticks":680}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2223099},"version":"8.6.2"},"memstats":{"gc_next":17908744,"memory_alloc":8900608,"memory_total":65685920,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.45,"15":0.3,"5":0.32,"norm":{"1":0.1125,"15":0.075,"5":0.08}}}},"ecs.version":"1.6.0"}}
Mar 19 22:26:02 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:26:02.695-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":460},"total":{"ticks":1150,"time":{"ms":10},"value":1150},"user":{"ticks":690,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2253103},"version":"8.6.2"},"memstats":{"gc_next":17908744,"memory_alloc":9090232,"memory_total":65875544,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.4,"15":0.3,"5":0.32,"norm":{"1":0.1,"15":0.075,"5":0.08}}}},"ecs.version":"1.6.0"}}
Mar 19 22:26:32 XXXXXXXXXXX filebeat[87915]: {"log.level":"info","@timestamp":"2023-03-19T22:26:32.693-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":470,"time":{"ms":10}},"total":{"ticks":1160,"time":{"ms":10},"value":1160},"user":{"ticks":690}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"6a756f02-ba2e-43c2-bbb8-3225917032b1","uptime":{"ms":2283101},"version":"8.6.2"},"memstats":{"gc_next":17908744,"memory_alloc":9203840,"memory_total":65989152,"rss":101171200},"runtime":{"goroutines":12}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.37,"15":0.3,"5":0.32,"norm":{"1":0.0925,"15":0.075,"5":0.08}}}},"ecs.version":"1.6.0"}}

filebeat.yml

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

  module: activemq
  audit:
    enabled: true
    var.paths: ["/XXXX/active-mq/data/audit.log*"]
  log:
    enabled: true
    var.paths: ["/XXXXX/active-mq/data/activemq.log*"]
# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "XXXXXXXXXX:80"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["http://XXXXXXXXXX:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "http"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "XXXXXXXXXX"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

As far as I can see, everything is fine, but I don't see any errors.

Hi @Whazaza

Why did you move this into this file instead of just leaving it in the modules directory?
I am not sure that is the correct syntax perhaps no harvester is getting loaded.

Get rid of all that, instead

metricebeat modules enable activemq

The configure modules.d/activemq.yml correctly

the run

metricbeat setup -e

Then start metricbeat agans AND look at the beginning of the filebeat logs 50-100 lines you should see it start harvestors ... to me the error message look like it hasn't started any harvestor.

Also triple check the path to the logs are actually there and readable.

But I need the filebeat data to use the default ActiveMQ dashboards

Exactly...Right so ...

Enable and configure data collection modules

Instead Enable the activemq module just like the example for nginx.

That is how you use modules

Follow the quick start end to end and instead of enabling nginx enable activemq as I showed above

The edit the activemq.yml enable the inputs etc

I followed all the steps and so I don't have information in kibana

1-

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-amd64.deb
sudo dpkg -i filebeat-8.6.2-amd64.deb

2-

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "XXXXXXXXXX:80"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["http://XXXXXXXXXX:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "http"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "XXXXXXXXXX"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

3-

4-
filebeat setup -e

Loaded Ingest pipelines

5-
service filebeat start

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2023-03-20 02:34:11 -03; 57s ago
     Docs: https://www.elastic.co/beats/filebeat
 Main PID: 18121 (filebeat)
    Tasks: 9 (limit: 19660)
   CGroup: /system.slice/filebeat.service
           └─18121 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.362-0300","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.362-0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.362-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.362-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.362-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":121},"message":"input disabled, skipping it","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.363-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.363-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:14.364-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:17 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:17.351-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":102},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
Mar 20 02:34:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T02:34:44.367-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":240,"time":{"ms":240},"value":240},"user":{"ticks":200,"time":{"ms":200}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","name":"filebeat","uptime":{"ms":33109},"version":"8.6.2"},"memstats":{"gc_next":20570536,"memory_alloc":14343080,"memory_sys":33637384,"memory_total":52121048,"rss":108814336},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":1},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":4},"load":{"1":0.23,"15":0.27,"5":0.27,"norm":{"1":0.0575,"15":0.0675,"5":0.0675}}}},"ecs.version":"1.6.0"}}

but in kibana I still don't see anything

image1360×550 41.5 KB

because of this the default boards have no information

image1191×194 21.3 KB

image1358×498 27.8 KB

image1347×514 28.1 KB

Did you try to test the output and config?

filebeat test output

filebeat test config

You did not show the startup logs.

journalctl -u filebeat -f

What do the filebeat logs show?

Startup and share the first 50 -100 lines in pastebin or gist

You are going to solve this by looking at logs.

Are there activemq logs in the folders ...are they growing?

Go to Kibana Dev Tools and run

GET _cat/indices?v

Show the output

1-

2-

3- tail -f /var/log/filebeat/filebeat-20230320

{"log.level":"info","@timestamp":"2023-03-20T02:27:10.663-0300","log.origin":{"file.name":"instance/beat.go","file.line":724},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T02:27:10.663-0300","log.origin":{"file.name":"instance/beat.go","file.line":732},"message":"Beat ID: db30f7c4-8b75-4402-869c-0b1a63d70480","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-03-20T02:27:13.666-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}

4-journalctl -u filebeat -f

-- Logs begin at Wed 2023-03-15 06:33:45 -03. --
Mar 20 03:02:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:02:44.366-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":320},"total":{"ticks":990,"time":{"ms":20},"value":990},"user":{"ticks":670,"time":{"ms":20}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1713105},"version":"8.6.2"},"memstats":{"gc_next":18019992,"memory_alloc":8746648,"memory_total":62458984,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.33,"15":0.33,"5":0.37,"norm":{"1":0.0825,"15":0.0825,"5":0.0925}}}},"ecs.version":"1.6.0"}}
Mar 20 03:03:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:03:14.365-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":330,"time":{"ms":10}},"total":{"ticks":1010,"time":{"ms":20},"value":1010},"user":{"ticks":680,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1743108},"version":"8.6.2"},"memstats":{"gc_next":18019992,"memory_alloc":8925376,"memory_total":62637712,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.32,"15":0.33,"5":0.37,"norm":{"1":0.08,"15":0.0825,"5":0.0925}}}},"ecs.version":"1.6.0"}}
Mar 20 03:03:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:03:44.366-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":330},"total":{"ticks":1010,"value":1010},"user":{"ticks":680}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1773106},"version":"8.6.2"},"memstats":{"gc_next":18019992,"memory_alloc":9130744,"memory_total":62843080,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.32,"15":0.33,"5":0.37,"norm":{"1":0.08,"15":0.0825,"5":0.0925}}}},"ecs.version":"1.6.0"}}
Mar 20 03:04:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:04:14.366-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":340,"time":{"ms":10}},"total":{"ticks":1020,"time":{"ms":10},"value":1020},"user":{"ticks":680}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1803107},"version":"8.6.2"},"memstats":{"gc_next":18019992,"memory_alloc":9230808,"memory_total":62943144,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.27,"15":0.33,"5":0.35,"norm":{"1":0.0675,"15":0.0825,"5":0.0875}}}},"ecs.version":"1.6.0"}}
Mar 20 03:04:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:04:44.366-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":340},"total":{"ticks":1040,"time":{"ms":20},"value":1040},"user":{"ticks":700,"time":{"ms":20}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1833106},"version":"8.6.2"},"memstats":{"gc_next":18043688,"memory_alloc":8738552,"memory_total":63194256,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.37,"15":0.33,"5":0.36,"norm":{"1":0.0925,"15":0.0825,"5":0.09}}}},"ecs.version":"1.6.0"}}
Mar 20 03:05:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:05:14.366-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":350,"time":{"ms":10}},"total":{"ticks":1060,"time":{"ms":20},"value":1060},"user":{"ticks":710,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1863105},"version":"8.6.2"},"memstats":{"gc_next":18043688,"memory_alloc":8918072,"memory_total":63373776,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.29,"15":0.33,"5":0.34,"norm":{"1":0.0725,"15":0.0825,"5":0.085}}}},"ecs.version":"1.6.0"}}
Mar 20 03:05:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:05:44.367-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":360,"time":{"ms":10}},"total":{"ticks":1070,"time":{"ms":10},"value":1070},"user":{"ticks":710}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1893107},"version":"8.6.2"},"memstats":{"gc_next":18043688,"memory_alloc":9132712,"memory_total":63588416,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.29,"15":0.33,"5":0.34,"norm":{"1":0.0725,"15":0.0825,"5":0.085}}}},"ecs.version":"1.6.0"}}
Mar 20 03:06:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:06:14.365-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":370,"time":{"ms":10}},"total":{"ticks":1080,"time":{"ms":10},"value":1080},"user":{"ticks":710}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1923108},"version":"8.6.2"},"memstats":{"gc_next":18043688,"memory_alloc":9283696,"memory_total":63739400,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.37,"15":0.33,"5":0.35,"norm":{"1":0.0925,"15":0.0825,"5":0.0875}}}},"ecs.version":"1.6.0"}}
Mar 20 03:06:44 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:06:44.364-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":370},"total":{"ticks":1100,"time":{"ms":20},"value":1100},"user":{"ticks":730,"time":{"ms":20}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1953106},"version":"8.6.2"},"memstats":{"gc_next":18021016,"memory_alloc":8658352,"memory_total":63854760,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.47,"15":0.34,"5":0.38,"norm":{"1":0.1175,"15":0.085,"5":0.095}}}},"ecs.version":"1.6.0"}}
Mar 20 03:07:14 XXXXXXXXXXX filebeat[18121]: {"log.level":"info","@timestamp":"2023-03-20T03:07:14.364-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":370},"total":{"ticks":1110,"time":{"ms":10},"value":1110},"user":{"ticks":740,"time":{"ms":10}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"2d41aa36-abba-4ddd-8739-4fb18db0a52c","uptime":{"ms":1983105},"version":"8.6.2"},"memstats":{"gc_next":18021016,"memory_alloc":8906648,"memory_total":64103056,"rss":102318080},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.46,"15":0.35,"5":0.39,"norm":{"1":0.115,"15":0.0875,"5":0.0975}}}},"ecs.version":"1.6.0"}}

5-

image1116×286 10.3 KB

6-
GET _cat/indices?v

health status index                                      uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   downtime                                   iCtohr9dQnWERrv70-7cmw   1   1       8661            0    122.6mb        122.6mb
yellow open   .ds-heartbeat-8.6.2-2023.03.17-000001      rdxpiYtmRnuW6DxOOW-t1w   1   1          0            0       225b           225b
yellow open   downtime-ehcos                             cSNIRlW5QrWP6tsaZ_GZaA   1   1       8924            0     22.6mb         22.6mb
yellow open   .ds-logs-generic-default-2023.03.15-000001 pALBWpkHQT2nAIEbTV4MbA   1   1     619209            0    959.1mb        959.1mb
yellow open   .ds-metricbeat-8.6.2-2023.03.17-000001     2jgp9hHrTpSky-y6gX8o6Q   1   1   14014291            0     12.5gb         12.5gb
yellow open   .ds-filebeat-8.6.2-2023.03.20-000001       FFWt21kfQQmlI4RIvQVfQw   1   1          0            0       225b           225b
yellow open   uptime                                     V9o4ZjWuRwmobbW7hGwTfQ   1   1     247710            0     76.6mb         76.6mb

7-GET filebeat-*/_search

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

Just in case, the server can't be seen from outside the network it's on, but it can import stuff from the internet.

Good info

You need to see the logs from the beginning.

Start filebeat in the foreground everything indicates that there are no actual logs being harvested...

Triple check the paths
Are the symlinks?

The startup logs for filebeat are many more logs than you showed...

Try looking at the logs here

/var/log/filebeat

Try starting in the foreground

/usr/share/filebeat/bin/filebeat --e -c /etc/filebeat/filebeat.yml

Try clearing the contents of the registry at... This keeps track of what has already been read.

/var/lib/filebeat

1-

I had a symbolic link in /opt/activemq/ and I changed it to the original path and even so I still have no information

3- /usr/share/filebeat/bin/filebeat --e -c /etc/filebeat/filebeat.yml

{"log.level":"info","@timestamp":"2023-03-20T03:45:04.447-0300","log.origin":{"file.name":"instance/beat.go","file.line":724},"message":"Home path: [/usr/share/filebeat/bin] Config path: [/usr/share/filebeat/bin] Data path: [/usr/share/filebeat/bin/data] Logs path: [/usr/share/filebeat/bin/logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:04.447-0300","log.origin":{"file.name":"instance/beat.go","file.line":732},"message":"Beat ID: 57a4e82a-a70e-497f-9a77-ac5db3efc2ce","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-03-20T03:45:07.450-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.452-0300","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.452-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1096},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/usr/share/filebeat/bin","data":"/usr/share/filebeat/bin/data","home":"/usr/share/filebeat/bin","logs":"/usr/share/filebeat/bin/logs"},"type":"filebeat","uuid":"57a4e82a-a70e-497f-9a77-ac5db3efc2ce"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.452-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1105},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"9b77c2c135c228c2eedc310f6e975bb1a76169b1","libbeat":"8.6.2","time":"2023-02-12T04:37:19.000Z","version":"8.6.2"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.452-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1108},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":4,"version":"go1.18.10"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.453-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1112},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-01-31T16:45:09-03:00","containerized":false,"name":"d250lxsamupr03","ip":["127.0.0.1/8","192.168.220.3/24","10.250.1.65/32"],"kernel_version":"4.9.0-8-amd64","mac":["00:50:56:a1:7b:4f"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"9 (stretch)","major":9,"minor":0,"patch":0,"codename":"stretch"},"timezone":"-03","timezone_offset_sec":-10800,"id":"0938be1cf0594e1085e0251d6729006f"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.454-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1141},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null},"cwd":"/etc/filebeat","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":33527,"ppid":83189,"seccomp":{"mode":"filter"},"start_time":"2023-03-20T03:45:03.740-0300"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.454-0300","log.origin":{"file.name":"instance/beat.go","file.line":296},"message":"Setup Beat: filebeat; Version: 8.6.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.464-0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: http://10.250.61.178:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.464-0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: d250lxsamupr03","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-03-20T03:45:07.464-0300","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":137},"message":"Not loading modules. Module directory not found: /usr/share/filebeat/bin/module","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.464-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.465-0300","log.origin":{"file.name":"instance/beat.go","file.line":486},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.465-0300","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/usr/share/filebeat/bin/data/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.465-0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.465-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.466-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.466-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":121},"message":"input disabled, skipping it","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.466-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.466-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:07.466-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:10.451-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":102},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T03:45:37.470-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":250,"time":{"ms":250},"value":250},"user":{"ticks":210,"time":{"ms":210}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"dd30ccba-f139-4235-8df1-de4b5743482d","name":"filebeat","uptime":{"ms":33104},"version":"8.6.2"},"memstats":{"gc_next":21402680,"memory_alloc":10920160,"memory_sys":29180936,"memory_total":52074632,"rss":105172992},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":1},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":4},"load":{"1":0.39,"15":0.3,"5":0.27,"norm":{"1":0.0975,"15":0.075,"5":0.0675}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:46:07.469-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40},"total":{"ticks":260,"time":{"ms":10},"value":260},"user":{"ticks":220,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"dd30ccba-f139-4235-8df1-de4b5743482d","uptime":{"ms":63105},"version":"8.6.2"},"memstats":{"gc_next":21402680,"memory_alloc":11075248,"memory_total":52229720,"rss":105172992},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.37,"15":0.3,"5":0.28,"norm":{"1":0.0925,"15":0.075,"5":0.07}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:46:37.468-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":50,"time":{"ms":10}},"total":{"ticks":280,"time":{"ms":20},"value":280},"user":{"ticks":230,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"dd30ccba-f139-4235-8df1-de4b5743482d","uptime":{"ms":93104},"version":"8.6.2"},"memstats":{"gc_next":21402680,"memory_alloc":11218512,"memory_total":52372984,"rss":105172992},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.53,"15":0.31,"5":0.33,"norm":{"1":0.1325,"15":0.0775,"5":0.0825}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:47:07.470-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":50},"total":{"ticks":290,"time":{"ms":10},"value":290},"user":{"ticks":240,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"dd30ccba-f139-4235-8df1-de4b5743482d","uptime":{"ms":123104},"version":"8.6.2"},"memstats":{"gc_next":21402680,"memory_alloc":11402224,"memory_total":52556696,"rss":105172992},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.43,"15":0.31,"5":0.33,"norm":{"1":0.1075,"15":0.0775,"5":0.0825}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T03:47:37.470-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":70,"time":{"ms":20}},"total":{"ticks":320,"time":{"ms":30},"value":320},"user":{"ticks":250,"time":{"ms":10}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"dd30ccba-f139-4235-8df1-de4b5743482d","uptime":{"ms":153103},"version":"8.6.2"},"memstats":{"gc_next":18407048,"memory_alloc":8946968,"memory_total":52823520,"rss":101601280},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.56,"15":0.33,"5":0.36,"norm":{"1":0.14,"15":0.0825,"5":0.09}}}},"ecs.version":"1.6.0"}}

and no new log files are created

This is not good, not sure why but you are missing a very important directory... perhaps re-install

root@stephenb-es-8-test:~# ls -l /usr/share/filebeat/
total 2580
-rw-r--r--  1 root root   13675 Feb 12 04:07 LICENSE.txt
-rw-r--r--  1 root root 2607008 Feb 12 04:07 NOTICE.txt
-rw-r--r--  1 root root     809 Feb 12 04:47 README.md
drwxr-xr-x  3 root root    4096 Mar 20 14:20 bin
drwxr-xr-x  4 root root    4096 Mar 20 14:18 kibana
drwxr-xr-x 71 root root    4096 Mar 20 14:18 module <!---- NEED THIS 

and I messed up the command bit

/usr/share/filebeat/bin/filebeat -e -d "*" -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

the folder if it exists in /usr/share/filebeat/ but the error indicates that it should be in
/usr/share/filebeat**/bin/**module but you have the module directory the same as me in /usr/share/filebeat/module

root@d250lxsamupr03:/var/log# tree -L 2 /usr/share/filebeat/
/usr/share/filebeat/
├── bin
│   ├── data
│   ├── filebeat
│   └── filebeat-god
├── kibana
│   ├── 7
│   └── 8
├── LICENSE.txt
├── module
│   ├── activemq
│   ├── apache
│   ├── auditd
│   ├── aws
│   ├── awsfargate
│   ├── azure
│   ├── barracuda
│   ├── bluecoat
│   ├── cef
│   ├── checkpoint
│   ├── cisco
│   ├── coredns
│   ├── crowdstrike
│   ├── cyberarkpas
│   ├── cylance
│   ├── elasticsearch
│   ├── envoyproxy
│   ├── f5
│   ├── fortinet
│   ├── gcp
│   ├── google_workspace
│   ├── haproxy
│   ├── ibmmq
│   ├── icinga
│   ├── iis
│   ├── imperva
│   ├── infoblox
│   ├── iptables
│   ├── juniper
│   ├── kafka
│   ├── kibana
│   ├── logstash
│   ├── microsoft
│   ├── misp
│   ├── mongodb
│   ├── mssql
│   ├── mysql
│   ├── mysqlenterprise
│   ├── nats
│   ├── netflow
│   ├── netscout
│   ├── nginx
│   ├── o365
│   ├── okta
│   ├── oracle
│   ├── osquery
│   ├── panw
│   ├── pensando
│   ├── postgresql
│   ├── proofpoint
│   ├── rabbitmq
│   ├── radware
│   ├── redis
│   ├── salesforce
│   ├── santa
│   ├── snort
│   ├── snyk
│   ├── sonicwall
│   ├── sophos
│   ├── squid
│   ├── suricata
│   ├── system
│   ├── threatintel
│   ├── tomcat
│   ├── traefik
│   ├── zeek
│   ├── zookeeper
│   ├── zoom
│   └── zscaler
├── NOTICE.txt
└── README.md

75 directories, 5 files

/usr/share/filebeat/bin/filebeat -e -d "*" -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

eat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
{"log.level":"info","@timestamp":"2023-03-20T13:30:25.657-0300","log.origin":{"file.name":"instance/beat.go","file.line":724},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:25.657-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":782},"message":"Beat metadata path: /var/lib/filebeat/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:25.657-0300","log.origin":{"file.name":"instance/beat.go","file.line":732},"message":"Beat ID: db30f7c4-8b75-4402-869c-0b1a63d70480","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:25.659-0300","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:25.659-0300","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition !contains: map[]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-03-20T13:30:28.660-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:28.660-0300","log.logger":"docker","log.origin":{"file.name":"docker/client.go","file.line":49},"message":"Docker client will negotiate the API version on the first request.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:28.660-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":130},"message":"add_cloud_metadata: starting to fetch metadata, timeout=3s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:28.661-0300","log.logger":"add_docker_metadata","log.origin":{"file.name":"add_docker_metadata/add_docker_metadata.go","file.line":91},"message":"add_docker_metadata: docker environment not detected: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:28.662-0300","log.logger":"kubernetes","log.origin":{"file.name":"add_kubernetes_metadata/kubernetes.go","file.line":148},"message":"Could not create kubernetes client using in_cluster config: unable to build kube config due to error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable","service.name":"filebeat","libbeat.processor":"add_kubernetes_metadata","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.662-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":167},"message":"add_cloud_metadata: received disposition for azure after 3.001090497s. result=[provider:azure, error=failed requesting azure metadata: Get \"http://169.254.169.254/metadata/instance/compute?api-version=2017-04-02\": dial tcp 169.254.169.254:80: i/o timeout, metadata={}]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.662-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":174},"message":"add_cloud_metadata: timed-out waiting for all responses","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.662-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":133},"message":"add_cloud_metadata: fetchMetadata ran for 3.001446262s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.662-0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":102},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.662-0300","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":121},"message":"Generated new processors: add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], condition=!contains: map[], add_cloud_metadata={}, add_docker_metadata=[match_fields=[] match_pids=[process.pid, process.parent.pid]], add_kubernetes_metadata","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.663-0300","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":117},"message":"Loading syscall filter","service.name":"filebeat","seccomp_filter":{"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","clock_nanosleep","clone","clone3","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rseq","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.665-0300","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.665-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1096},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"db30f7c4-8b75-4402-869c-0b1a63d70480"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.665-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1105},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"9b77c2c135c228c2eedc310f6e975bb1a76169b1","libbeat":"8.6.2","time":"2023-02-12T04:37:19.000Z","version":"8.6.2"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.665-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1108},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":4,"version":"go1.18.10"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.667-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1112},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-01-31T16:45:09-03:00","containerized":false,"name":"d250lxsamupr03","ip":["127.0.0.1/8","192.168.220.3/24","10.250.1.65/32"],"kernel_version":"4.9.0-8-amd64","mac":["00:50:56:a1:7b:4f"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"9 (stretch)","major":9,"minor":0,"patch":0,"codename":"stretch"},"timezone":"-03","timezone_offset_sec":-10800,"id":"0938be1cf0594e1085e0251d6729006f"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.668-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1141},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null},"cwd":"/var/log","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":29521,"ppid":31708,"seccomp":{"mode":"filter"},"start_time":"2023-03-20T13:30:24.970-0300"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.669-0300","log.origin":{"file.name":"instance/beat.go","file.line":296},"message":"Setup Beat: filebeat; Version: 8.6.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.670-0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":321},"message":"Initializing output plugins","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.681-0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: http://10.250.61.178:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.682-0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/consumer.go","file.line":98},"message":"start pipeline event consumer","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.682-0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: d250lxsamupr03","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.682-0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/queue_reader.go","file.line":49},"message":"pipeline event consumer queue reader: start","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.682-0300","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":120},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.683-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.683-0300","log.origin":{"file.name":"instance/beat.go","file.line":486},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.683-0300","log.logger":"test","log.origin":{"file.name":"registrar/migrate.go","file.line":287},"message":"isFile(/var/lib/filebeat/registry) -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.684-0300","log.logger":"test","log.origin":{"file.name":"registrar/migrate.go","file.line":287},"message":"isFile() -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.684-0300","log.logger":"test","log.origin":{"file.name":"registrar/migrate.go","file.line":280},"message":"isDir(/var/lib/filebeat/registry/filebeat) -> true","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.684-0300","log.logger":"test","log.origin":{"file.name":"registrar/migrate.go","file.line":287},"message":"isFile(/var/lib/filebeat/registry/filebeat/meta.json) -> true","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.684-0300","log.logger":"registrar","log.origin":{"file.name":"registrar/migrate.go","file.line":82},"message":"Registry type '1' found","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.684-0300","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.684-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform request:append","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform request:delete","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform request:set","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform response:append","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform response:delete","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform response:set","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform pagination:append","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform pagination:delete","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/transform_registry.go","file.line":75},"message":"Register transform pagination:set","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":84},"message":"registering encoder 'application/json': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":87},"message":"registering encoder 'application/x-www-form-urlencoded': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":93},"message":"registering decoder 'application/json': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":96},"message":"registering decoder 'application/x-ndjson': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":99},"message":"registering decoder 'text/csv': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"httpjson.transforms","log.origin":{"file.name":"httpjson/encoding.go","file.line":102},"message":"registering decoder 'application/zip': returned error: <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.685-0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":140},"message":"Starting Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.686-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.686-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":121},"message":"input disabled, skipping it","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.686-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/reload.go","file.line":132},"message":"Checking module configs from: /etc/filebeat/modules.d/*.yml","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.686-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/cfgfile.go","file.line":204},"message":"Load config from file: /etc/filebeat/modules.d/activemq.yml","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/reload.go","file.line":146},"message":"Number of module configs found: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.687-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/reload.go","file.line":194},"message":"Scan for new config files","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/cfgfile.go","file.line":204},"message":"Load config from file: /etc/filebeat/modules.d/activemq.yml","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"cfgfile","log.origin":{"file.name":"cfgfile/reload.go","file.line":213},"message":"Number of module configs found: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":64},"message":"Starting reload procedure, current runners: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-03-20T13:30:31.687-0300","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":82},"message":"Start list: 0, Stop list: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:30:31.687-0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-03-20T13:31:01.688-0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":240,"time":{"ms":240},"value":240},"user":{"ticks":200,"time":{"ms":200}}},"handles":{"limit":{"hard":1048576,"soft":1024},"open":10},"info":{"ephemeral_id":"eeeca8da-ab16-46f9-a3d5-2d45779d21d4","name":"filebeat","uptime":{"ms":36112},"version":"8.6.2"},"memstats":{"gc_next":18553608,"memory_alloc":12867528,"memory_sys":33375240,"memory_total":52229520,"rss":110174208},"runtime":{"goroutines":23}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1,"scans":1},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":4},"load":{"1":0.07,"15":0.23,"5":0.19,"norm":{"1":0.0175,"15":0.0575,"5":0.0475}}}},"ecs.version":"1.6.0"}}

netstat

root@d250lxsamupr03:/var/log/filebeat# netstat -putona | grep 9200
tcp        0      0 192.168.xxx.x:48334     elkstackserver:9200      ESTABLISHED 72638/metricbeat     keepalive (6.42/0/0)

I think the missing module directory was because I did not give you the full command / path.... that was my bad.

I do not know what your issue is this -d "*" would actually show anything being read it would print it, it looks to me like there is nothing being read in your ActiveMQ directory.

Assume you checked the permissions and those files are readable... by the filebeat user?

Is see no errors

Clean out the /var/lib/filbeat directory of everything. That is where filebeat keeps track of what it read.

rm -fr /var/lib/filbeat

I would enable the system module and see if you get any system logs.

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Then Use the same command... see what happens...

Odd this should take like 5 mins something is amiss...

I activated the system module and started to get data to the index filebeat-*

image1361×581 71.1 KB

image1357×475 88.2 KB

but it is only system information nothing in relation to activeMQ

logs:env - Google Docs

We then we know filebeat is actually working .

I suspect Is something wrong with the paths, permissions for activeMQ

AND are you sure in the activemq.yml enabled: true

Copy a few of the ActiveMQ logs do a different path....
Set that path in the module make sure it is chmod 666
And try again.

Did you clean the registry? This will reload the system logs as well.

rm -fr /var/lib/filbeat

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.