Filebeat is not reading logs

ant2ne · December 21, 2022, 7:05pm

root@ub2204elk:/etc/elasticsearch# grep -v "#" elasticsearch.yml |uniq

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["ub2204elk"]

http.host: 0.0.0.0

root@ub2204elk:/etc/filebeat# l grep -v "#" /etc/filebeat/filebeat.yml |uniq

filebeat.inputs:

- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/sys1/*.log

filebeat.config.modules:
  path: /etc/filebeat/modules.d/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: "localhost:5601"

output.elasticsearch:
  hosts: ["localhost:9200"]

  username: "elastic"
  password: "oRPweOskO3ODRgI6Hik-"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

rsyslog is doing its thing correctly both remote and local elk/rsyslog server. The remote server's logs are in the elk/rsyslog server's /var/log/{remote.servername}.

These are the logs I am most interested in.
root@ub2204elk:/etc/filebeat# ls -l /var/log/sys1/*.log

-rw-r----- 1 syslog adm   270 Dec 21 18:34 /var/log/sys1/anacron.log
-rw-r----- 1 syslog adm   245 Dec 21 17:20 /var/log/sys1/avahi-daemon.log
-rw-r----- 1 syslog adm    63 Dec 21 17:24 /var/log/sys1/cron.log
-rw-r----- 1 syslog adm 36846 Dec 21 18:53 /var/log/sys1/CRON.log
-rw-r----- 1 syslog adm   298 Dec 21 17:23 /var/log/sys1/crontab.log
-rw-r----- 1 syslog adm  2837 Dec 21 18:52 /var/log/sys1/dbus-daemon.log
-rw-r----- 1 syslog adm   172 Dec 21 18:48 /var/log/sys1/fwupd.log
-rw-r----- 1 syslog adm  2249 Dec 21 17:38 /var/log/sys1/kernel.log
-rw-r----- 1 syslog adm   132 Dec 21 18:41 /var/log/sys1/NetworkManager.log
-rw-r----- 1 syslog adm  1119 Dec 21 18:40 /var/log/sys1/nordvpnd.log
-rw-r----- 1 syslog adm   181 Dec 21 17:20 /var/log/sys1/ntpd.log
-rw-r----- 1 syslog adm  4792 Dec 21 18:51 /var/log/sys1/org.freedesktop.thumbnails.Thumb.log
-rw-r----- 1 syslog adm   259 Dec 21 18:14 /var/log/sys1/root.log
-rw-r----- 1 syslog adm  3957 Dec 21 17:32 /var/log/sys1/rsyslogd.log
-rw-r----- 1 syslog adm 24552 Dec 21 18:51 /var/log/sys1/rtkit-daemon.log
-rw-r----- 1 syslog adm   593 Dec 21 17:57 /var/log/sys1/sudo.log
-rw-r----- 1 syslog adm 32889 Dec 21 18:53 /var/log/sys1/systemd.log

But, in http://192.168.1.139:5601 | discover | Logs | Streams does not show any logs.

Am I looking in the correct place in Kibana for the remote server's logs? If so, Why isn't filebeats putting the logs into ealsticsearch?

(please let me know if you need a peak at any other conf files)

Lee_Hinman · December 21, 2022, 8:33pm

the filestream input isn't enabled you have:

enabled: false

change that to:

enabled: true

ant2ne · December 21, 2022, 8:43pm

I owe you a beer! As soon as I made that change, the logs showed up in streaming!

(I intentionally have smbd flapping on sys1 every min (via cron) to generate logs for testing)

system · January 18, 2023, 10:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not working with xpack Security enabled in Elasticsearch Beats filebeat	0	156	April 23, 2024
fileBeats failing Beats	2	517	October 4, 2019
Filebeat is not authenticating with elasticsearch after xpack was enabled Beats filebeat	6	2030	July 14, 2021
Newbie and need help Beats filebeat	2	436	October 29, 2017
Filebeat not reading log files Beats filebeat	4	3090	April 24, 2020

Filebeat is not reading logs

Related topics