Filebeat/Logstash doesn't send system.auth.*.* field data to Elastic Search - v 7.14

Elastic Stack Beats
,
1

I've installed ELK stack with steps described here:

Current Elastic Release (7.14)

Current Kibana Release (7.14)

Current Logstash Release (7.14)

Current Filebeat Release (7.14)

I also used the Logstash configuration presented here with the note under it: Beats input plugin | Logstash Reference [7.14] | Elastic

However, after I've run the commands below I couldn't see any data in the loaded dashboards in Kibana:

sudo filebeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

sudo filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601

It should be something like this:

filebeat-system
filebeat-system777×865 76.2 KB

But it looks like below:

kibana-local
kibana-local1887×926 117 KB

"No results found" is shown in all 4 dashboards: Syslog | Sudo commands | SSH Logins | New users and groups

Also, when I tried to lookup data in Discovery and search for system.auth.ssh.events for example I couldn't find anything:

ssh-events
ssh-events1529×674 52.6 KB

What is the problem?

2

Did u enable the filebeat system module?? You also need to configure the elasticsearch output when u run setup to load the index template, mappings, and ingest pipelines...

3

@legoguy1000 Sure. I've enabled the system module and configured logstash to read from filebeat input and send to elasticsearch. Please check below:

filebeat modules list

filebeat-modules

cat /etc/filebeat/modules.d/system.yml

filebeat-system-config
filebeat-system-config846×329 33.6 KB 

cat /etc/logstash/cond.d/beats-input-output.conf

beats-input-output-conf
beats-input-output-conf696×216 16.5 KB

These were setup before running the commands in the original post.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.