Filebeat failed to start v7.10.2

Elastic Stack Beats
1

Hi please help me with my problem. My filebeat services stop working. Even though after I restart it. It starts but after a minute it stopped. Please help me. My career depends on it

Filbeat status:

filebeat.service - Filebeat sends log files to Logstash or directly to Elasti>
     Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; preset: ena>
     Active: failed (Result: exit-code) since Sat 2023-03-18 00:37:46 PST; 5min>
   Duration: 25ms
       Docs: https://www.elastic.co/products/beats/filebeat
    Process: 4917 ExecStart=/usr/share/filebeat/bin/filebeat --environment syst>
   Main PID: 4917 (code=exited, status=2)
        CPU: 25ms

Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: rip    0x7f018e49226b
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: rflags 0x246
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: cs     0x33
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: fs     0x0
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: gs     0x0
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Scheduled restart>
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: Stopped Filebeat sends log files to>
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Start request rep>
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Failed with resul>
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: Failed to start Filebeat sends log >
~


Filebeat journalctl -u filebeat.service -f:
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: rip    0x7f018e49226b
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: rflags 0x246
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: cs     0x33
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: fs     0x0
Mar 18 00:37:46 VSS-WazuhServer filebeat[4917]: gs     0x0
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 9.
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Start request repeated too quickly.
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: filebeat.service: Failed with result 'exit-code'.
Mar 18 00:37:46 VSS-WazuhServer systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..

Filebeat test output:
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

journalctl -u filebeat.service:

Feb 26 20:02:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:02:12.943+0800        INFO        [monitoring] >
Feb 26 20:02:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:02:42.944+0800        INFO        [monitoring] >
Feb 26 20:03:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:03:12.942+0800        INFO        [monitoring] >
Feb 26 20:03:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:03:42.939+0800        INFO        [monitoring] >
Feb 26 20:04:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:04:12.939+0800        INFO        [monitoring] >
Feb 26 20:04:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:04:42.942+0800        INFO        [monitoring] >
Feb 26 20:05:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:05:12.942+0800        INFO        [monitoring] >
Feb 26 20:05:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:05:42.943+0800        INFO        [monitoring] >
Feb 26 20:06:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:06:12.942+0800        INFO        [monitoring] >
Feb 26 20:06:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:06:42.938+0800        INFO        [monitoring] >
Feb 26 20:07:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:07:12.942+0800        INFO        [monitoring] >
Feb 26 20:07:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:07:42.939+0800        INFO        [monitoring] >
Feb 26 20:08:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:08:12.942+0800        INFO        [monitoring] >
Feb 26 20:08:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:08:42.939+0800        INFO        [monitoring] >
Feb 26 20:09:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:09:12.939+0800        INFO        [monitoring] >
Feb 26 20:09:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:09:42.942+0800        INFO        [monitoring] >
Feb 26 20:10:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:10:12.943+0800        INFO        [monitoring] >
Feb 26 20:10:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:10:42.939+0800        INFO        [monitoring] >
Feb 26 20:11:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:11:12.939+0800        INFO        [monitoring] >
Feb 26 20:11:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:11:42.943+0800        INFO        [monitoring] >
Feb 26 20:12:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:12:12.942+0800        INFO        [monitoring] >
Feb 26 20:12:42 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:12:42.942+0800        INFO        [monitoring] >
Feb 26 20:13:12 VSS-WazuhServer filebeat[2296]: 2023-02-26T20:13:12.939+0800        INFO        [monitoring] >
 ESCOD
2

You need to look in the systems log, journalctl will not show the reason why the systemd service failed.

Check on /var/log/messages or /var/log/syslog depending on the distribution.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.