I am using Beats/Logstash/ElasticSearch/Kibana version 6.3 on CentOS 7
I have written a short pipeline that listens for incoming filebeat traffic and applys a grok filter.
I have tested the filter using the Kibana Grok Debugger and the simulation gives the expected data structure from the log that is being parsed.
ELK is running on the same host (only the filebeat + winlogbeat are on different hosts than ELK)
In Kibana under discover I see events for filebeat-* but they are all missing _source (no data fields attached..)
winlogbeat is registering events fine with all the expected data.
Where should I be looking to start debugging this? What can I check to narrow down the problem? I'm not sure if it's related to filebeat/logstash/elastic.. I don't even know what question to ask to solve the problem, let alone the solution.