Filebeat/Logstash doesn't send system.auth.*.* field data to Elastic Search - v 7.14

I've installed ELK stack with steps described here:

Current Elastic Release (7.14)

Current Kibana Release (7.14)

Current Logstash Release (7.14)

Current Filebeat Release (7.14)

I also used the Logstash configuration presented here with the note under it: Beats input plugin | Logstash Reference [7.14] | Elastic

However, after I've run the commands below I couldn't see any data in the loaded dashboards in Kibana:

sudo filebeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

sudo filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601

It should be something like this:

But it looks like below:

"No results found" is shown in all 4 dashboards: Syslog | Sudo commands | SSH Logins | New users and groups

Also, when I tried to lookup data in Discovery and search for system.auth.ssh.events for example I couldn't find anything:

What is the problem?

Did u enable the filebeat system module?? You also need to configure the elasticsearch output when u run setup to load the index template, mappings, and ingest pipelines...

@legoguy1000 Sure. I've enabled the system module and configured logstash to read from filebeat input and send to elasticsearch. Please check below:

filebeat modules list

filebeat-modules

cat /etc/filebeat/modules.d/system.yml

cat /etc/logstash/cond.d/beats-input-output.conf

These were setup before running the commands in the original post.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.