Filebeat: ES not receiving index from filebeat

I'm trying to explore the security recipe for suspicious login activity in my local machine

When trying to index the auth.log, nothing appears in the create index pattern of kibana.

Here's my filebeat.yml


  • module: system
    enabled: false
    enabled: true
    var.paths: ["/data/auth.log"]
    name: test
    hosts: ["http://elastic-url:9200"]
    username: "elastic"
    password: "secret"
    host: "http://kibana-url:5601"
    username: "elastic"
    password: "secret"
    logging.level: debug
    logging.selectors: ["publish"]
    setup.dashboards.enabled: true

Am I missing something?

Hi @jemueldalino,

Did you run filebeat setup command? It should configure kibana and deploy some dashboards for you.

Best regards

I just ran filebeat via docker run using the .yml earlier. The dashboards were created but theres no data. When checking index patterns, there's indices. Is my var.path wrong?

Whats the OS platform?

For Debian systems the logins will be stored in /var/log/auth.log
For Redhat Systems I think the file is /var/log/secure.
The auth logs vary. Whether the /data/auth.log is having data?
Does any other logs are available in ES from filebeat?
ES requires two plugin installation for the proper working of Filebeat.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.