Filebeat is not logging anything

sgoetz · September 6, 2016, 7:40pm

I am unable to get filebeats to create a log file and log anything.

My Configuration is a little different. I have the main configuration file filebeat.yml. Than I have a different config file for each type of log im pulling from. To make it easier to manage configs for specific logs. The main config looks like this:

filebeat:
     config_dir: /usr/local/bin/filebeats/LogConfigs/
     prospectors:
        -
output:
    console:
        pretty: true
    logstash:
       hosts: ["host server"
       tls: 
          certificate: "/path/to/cert"
          certificate_key: "/path/to/key"
          certificate_authorities: "/path/to/RootCert"
logging:
     to_files: true
     files:
        path: /var/log/filebeat
        name: filebeat.log
        rotateeverybytes: 51002
        keepfiles: 7

andrewkroh · September 6, 2016, 7:49pm

You probably need to increase the logging level. The default is error in 1.X (changed to info in 5.X), so if there are no errors then nothing will be logged. https://www.elastic.co/guide/en/beats/filebeat/current/configuration-logging.html#_level

sgoetz · September 6, 2016, 8:10pm

Thank you for the reply. I updated the config with level. And no difference:

filebeat:
     config_dir: /usr/local/bin/filebeats/LogConfigs/
     prospectors:
        -
output:
    console:
        pretty: true
    logstash:
       hosts: ["host server"
       tls: 
          certificate: "/path/to/cert"
          certificate_key: "/path/to/key"
          certificate_authorities: "/path/to/RootCert"
logging:
     level: debug
     to_files: true
     files:
        path: /var/log/filebeat
        name: filebeat.log
        rotateeverybytes: 51002
        keepfiles: 7

ruflin · September 8, 2016, 6:45am

Which filebeat version are you using? What is the user you start filebeat and does this user have write access to the /var/log/filebeat directory or is allowed to create the filebeat directory?

sgoetz · September 8, 2016, 1:58pm

Hey ruffin,

  I check the perms and they are as follows:

/var/log/filebeat -- 644 - root:wheel
/var/log/filebeat/filebeat.log - 644 - root:wheel

 To make sure it was perms, I did a chmod -R 777 /var/log/filebeat  and tested again and still no logs.

This is version 1.2.3. of filebeats. Filebeats is started as root. Both manually and with my launchDaemon.

Thank you for all the help so far! I have everything working except for hte logging.

Shawn G

ruflin · September 8, 2016, 2:46pm

Can you share the command you use to start filebeat manually?

sgoetz · September 8, 2016, 4:04pm

Hey ruffin,

The command I use is:

sudo filebeat -c /usr/local/bin/filebeats/filebeat.yml -e

I have also tried:

sudo filebeat -c /usr/local/bin/filebeats/filebeat.yml -e -v -d "*"

Thanks

Shawn

ruflin · September 8, 2016, 8:50pm

Don't use the -e flag and then it should work.

  -e   	Log to stderr and disable syslog/file output

sgoetz · September 8, 2016, 9:46pm

Hey Ruffin,

 I can't believe I missed that. Thank you so much!!!

Shawn G

system · September 27, 2016, 7:40pm

This topic was automatically closed after 21 days. New replies are no longer allowed.