We have created an elastic stack to monitor logs from the Linux clients. On Linux clients, filebeat is configured to ship the logs to the elastic stack.
But our filebeat is not detecting new events in the log file and not sending to elastic stack. If we restart the filebeat, It will send all the pending events. On filebeat logs, we are getting the below message
INFO No non-zero metrics in the last 30s.
logstash input:-
input {
beats {
port => 5044
ssl => false
}
}
logstash filter:-
filter
{
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
logstash output:-
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
filebeat config:-
filebeat.prospectors:
- input_type: log
paths:
- /var/log/messages
- /var/log/secure
output.logstash:
hosts: ["172.x.x.x:5044"]
filebeat log:-
tail /var/log/filebeat/filebeat
2021-11-02T04:59:06Z INFO No non-zero metrics in the last 30s
2021-11-02T04:59:36Z INFO No non-zero metrics in the last 30s
2021-11-02T05:00:06Z INFO No non-zero metrics in the last 30s
2021-11-02T05:00:36Z INFO No non-zero metrics in the last 30s
2021-11-02T05:01:06Z INFO No non-zero metrics in the last 30s
2021-11-02T05:01:36Z INFO No non-zero metrics in the last 30s