I can't figure out if I'm doing some wrong or things are just wonky on my system when reading into logstash.
Changes to the module configs (system and apache2 in my case) aren't being read from /etc/filebeat/modules.d
If I want changes to be read, I have to change them in /usr/share/filebeat/module/ under their respective directories. I've turned on the the debug option and have watched the log file - filebeat says it's reading two config files from /etc/filebeat/modules.d
2017-12-27T11:12:17-05:00 DBG [cfgfile] Load config from file: /etc/filebeat/modules.d/apache2.yml
2017-12-27T11:12:17-05:00 DBG [cfgfile] Load config from file: /etc/filebeat/modules.d/system.yml
2017-12-27T11:12:17-05:00 DBG [cfgfile] Number of module configs found: 2
But when I added an exclude_lines: string into the apache2.yml file located in /etc/filebeat/modules.d, it was being completely ignored. The only place I could add it where it was read was in the
/usr/share/filebeat/module/apache2/access/config/access.yml
file. After that, it excluded the lines just fine.
With the system module, it skips any of the var.paths I've set but, again, if I add those locations to the file in
/usr/share/filebeat/module/system/syslog/config/syslog.yml or /usr/share/filebeat/module/system/auth/config/auth.yml
things work out just fine.
Filebeat's system module is also a little screwy with the timezone being off as well (however, the apache2 module has the correct timestamp). The @timestamp value and system.syslog.timestamp are different. The system.syslog.timestamp value is the correct one but the @timestamp is behind it by five hours, which is our offset from UTC. So:
@timestamp is December 27th 2017, 06:39:01.000
system.syslog.timestamp is Dec 27 11:39:01
but that issue is probably a separate topic by itself. Current installed version of filebeat is 6.1.1
Any ideas?