Filebeat monitoring metrics not visible in ElasticSearch

ppine7 · October 19, 2022, 2:40pm

Hi, Mat, Stephen - thank you for the further investigation!

So, to answer the questions and suggestions in order:

@stephenb regrading the pipeline... This was one of the pain points to get working, took me awhile, as there seems to be a bug in ES/Filebeat, where specifying the "pipeline: xxx" per documentation does NOT work, and the only way to get it working is to use "parameters.pipeline: xxx" instead. Here is the bug report that helped me find this workaround: [Filebeat] 7.8 Filebeat output elasticsearch pipeline broken · Issue #20342 · elastic/beats · GitHub
logs that @stephenb mentioned: yes, I do see the lines similar to what you are referring to:

{"log.level":"info","@timestamp":"2022-10-19T13:51:27.671Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(monitoring(https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443)) established","service.name":"filebeat","ecs.version":"1.6.0"}

and here is a bigger chunk of logs that shows connections, pings and sending of the monitoring events to this URL:

{"log.level":"debug","@timestamp":"2022-10-19T13:51:17.577Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":346},"message":"GET https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443/_xpack?filter_path=features.monitoring.enabled  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:17.600Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/client.go","file.line":99},"message":"XPack monitoring is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:17.600Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/elasticsearch.go","file.line":234},"message":"Successfully connected to X-Pack Monitoring endpoint.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:17.601Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/elasticsearch.go","file.line":240},"message":"Finish monitoring endpoint init loop.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:17.601Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/elasticsearch.go","file.line":248},"message":"Start monitoring stats metrics snapshot loop with period 10s.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:17.601Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/elasticsearch.go","file.line":248},"message":"Start monitoring state metrics snapshot loop with period 1m0s.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.348Z","log.logger":"input","log.origin":{"file.name":"input/input.go","file.line":137},"message":"Run input","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.620Z","log.logger":"monitoring","log.origin":{"file.name":"processing/processors.go","file.line":210},"message":"Publish event: {\n  \"@timestamp\": \"2022-10-19T13:51:27.602Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"8.4.3\",\n    \"type\": \"beats_stats\",\n    \"interval_ms\": 10000,\n    \"params\": {\n      \"interval\": \"10s\"\n    }\n  },\n  \"beat\": {\n    \"type\": \"filebeat\",\n    \"version\": \"8.4.3\",\n    \"name\": \"c0383dd47a87\",\n    \"host\": \"c0383dd47a87\",\n    \"uuid\": \"ed5a0b2c-3ced-43da-a7ce-282f2383eca8\"\n  },\n  \"metrics\": {\n    \"filebeat\": {\n      \"events\": {\n        \"added\": 0,\n        \"done\": 0,\n        \"active\": 0\n      },\n      \"harvester\": {\n        \"closed\": 0,\n        \"running\": 0,\n        \"open_files\": 0,\n        \"skipped\": 0,\n        \"started\": 0\n      },\n      \"input\": {\n        \"log\": {\n          \"files\": {\n            \"renamed\": 0,\n            \"truncated\": 0\n          }\n        },\n        \"netflow\": {\n          \"packets\": {\n            \"received\": 0,\n            \"dropped\": 0\n          },\n          \"flows\": 0\n        }\n      }\n    },\n    \"libbeat\": {\n      \"output\": {\n        \"events\": {\n          \"duplicates\": 0,\n          \"active\": 0,\n          \"toomany\": 0,\n          \"batches\": 0,\n          \"total\": 0,\n          \"acked\": 0,\n          \"failed\": 0,\n          \"dropped\": 0\n        },\n        \"write\": {\n          \"bytes\": 0,\n          \"errors\": 0\n        },\n        \"read\": {\n          \"errors\": 0,\n          \"bytes\": 0\n        },\n        \"type\": \"elasticsearch\"\n      },\n      \"pipeline\": {\n        \"clients\": 1,\n        \"events\": {\n          \"total\": 0,\n          \"filtered\": 0,\n          \"published\": 0,\n          \"failed\": 0,\n          \"dropped\": 0,\n          \"retry\": 0,\n          \"active\": 0\n        },\n        \"queue\": {\n          \"max_events\": 4096,\n          \"acked\": 0\n        }\n      },\n      \"config\": {\n        \"scans\": 0,\n        \"reloads\": 0,\n        \"module\": {\n          \"running\": 0,\n          \"starts\": 0,\n          \"stops\": 0\n        }\n      }\n    },\n    \"beat\": {\n      \"info\": {\n        \"version\": \"8.4.3\",\n        \"uptime\": {\n          \"ms\": 10735\n        },\n        \"ephemeral_id\": \"45393707-8a6c-4e36-a7dc-78134b21cbdd\",\n        \"name\": \"filebeat\"\n      },\n      \"cgroup\": {\n        \"cpuacct\": {\n          \"id\": \"/\",\n          \"total\": {\n            \"ns\": 2488286354\n          }\n        },\n        \"memory\": {\n          \"id\": \"/\",\n          \"mem\": {\n            \"limit\": {\n              \"bytes\": 9223372036854771712\n            },\n            \"usage\": {\n              \"bytes\": 56520704\n            }\n          }\n        },\n        \"cpu\": {\n          \"cfs\": {\n            \"period\": {\n              \"us\": 100000\n            },\n            \"quota\": {\n              \"us\": 0\n            }\n          },\n          \"stats\": {\n            \"periods\": 0,\n            \"throttled\": {\n              \"periods\": 0,\n              \"ns\": 0\n            }\n          },\n          \"id\": \"/\"\n        }\n      },\n      \"handles\": {\n        \"limit\": {\n          \"hard\": 1048576,\n          \"soft\": 1048576\n        },\n        \"open\": 20\n      },\n      \"memstats\": {\n        \"memory_sys\": 34423816,\n        \"gc_next\": 20466608,\n        \"rss\": 138305536,\n        \"memory_total\": 59005528,\n        \"memory_alloc\": 10707568\n      },\n      \"cpu\": {\n        \"user\": {\n          \"ticks\": 1420,\n          \"time\": {\n            \"ms\": 1420\n          }\n        },\n        \"system\": {\n          \"ticks\": 940,\n          \"time\": {\n            \"ms\": 940\n          }\n        },\n        \"total\": {\n          \"value\": 2360,\n          \"ticks\": 2360,\n          \"time\": {\n            \"ms\": 2360\n          }\n        }\n      },\n      \"runtime\": {\n        \"goroutines\": 76\n      }\n    },\n    \"system\": {\n      \"cpu\": {\n        \"cores\": 8\n      },\n      \"load\": {\n        \"5\": 0.02,\n        \"15\": 0,\n        \"norm\": {\n          \"1\": 0.0088,\n          \"5\": 0.0025,\n          \"15\": 0\n        },\n        \"1\": 0.07\n      }\n    },\n    \"registrar\": {\n      \"states\": {\n        \"current\": 0,\n        \"update\": 0,\n        \"cleanup\": 0\n      },\n      \"writes\": {\n        \"total\": 0,\n        \"fail\": 0,\n        \"success\": 0\n      }\n    }\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:27.623Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(monitoring(https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.624Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/client.go","file.line":64},"message":"Monitoring client: connect.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.626Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":267},"message":"ES Ping(url=https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.648Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":290},"message":"Ping status code: 200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:27.649Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":291},"message":"Attempting to connect to Elasticsearch version 8.4.3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.650Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":346},"message":"GET https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443/_xpack?filter_path=features.monitoring.enabled  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.670Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/client.go","file.line":99},"message":"XPack monitoring is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T13:51:27.671Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(monitoring(https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.698Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":197},"message":"handle ACKs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T13:51:27.700Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":216},"message":"try ack index: (idx=0, i=0, seq=0)\n","service.name":"filebeat","ecs.version":"1.6.0"}
{"

Interesting that this URL: https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443 is NOT what I am specifying as "hosts" in the filebeat.yml.... In the filebeat.yml I am specifying a real name of the cluster, something like "my-new-es-cluster" - like "https://my-new-es8-cluster.es.us-east4.gcp.elastic-cloud.com:9243".... So it is getting translated into the UUID-type form somewhere ...

indices: unfortunately, I do not have any indices that have "beat" and "monitoring" at the same time in the name, not what @stephenb showed in his cluster... I do have one 'metricbeat' index - but it is empty.
A few searches I did:

GET /_cat/indices/*monitoring-*
results:
green open .ds-.monitoring-kibana-8-mb-2022.10.18-000001 Xvq_P_9NRiKy3hYxPwBwmQ 1 1  36050  0  18.7mb   9.3mb
green open .monitoring-kibana-7-2022.10.18               4kofsQNNTzylE-YWoEMYXg 1 1     76  0 371.8kb 165.7kb
green open .ds-.monitoring-es-8-mb-2022.10.18-000001     2H4hLmyGS8q2-EQfbuynQQ 1 1 265395  0 315.2mb   158mb
green open .monitoring-es-7-2022.10.18                   ZSLCzJRBRiS2r4qihIw71w 1 1    385 34 690.3kb 347.2kb


GET /_cat/indices/*beat*
results:
green open .ds-metricbeat-8.4.3-2022.10.18-000001 wq0Wt0kaSIae9kXP4b2Iug 1 1 0 0 450b 225b


GET .ds-metricbeat-8.4.3-2022.10.18-000001/_search
results:
{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

now comparing to the actual UUID of the one and only ES cluster I have (data+monitoring) , per @matschaffer suggestion:
when I do

GET /_cluster/state

I get this:

{
  "cluster_name": "1e432b5236c***",
  "cluster_uuid": "9PxnN-9PT***",
  "version": 2013,

so it is the cluster_name that Filebeat is using, not the UUID...per its logs:

"message":"Connection to backoff(monitoring(https://1e432b5236c***.us-east4.gcp.elastic-cloud.com:443)) established"

is this a problem?

Thank you!!!
Marina

stephenb · October 19, 2022, 3:19pm

On the pipeline issue What input are you using or are you using a module?
If you are using a module the pipeline may be defined in the module and there is special syntax to override it.

Also Just to be clear for this test you are trying to write the filebeat data and the filebeat monitoring to the same cluster correct?

Could you try setting to your cluster uuid

monitoring.cluster_uuid: "9PxnN-9PT***"

Also you are using an API key could you try with the elastic user and password

Also it looks like you are doing some subsitution with the hostname what happens if you just directly code in the endpoint with the

hosts: "https://my-new-es8-cluster****"

ppine7 · October 19, 2022, 5:21pm

Thanks, Stephen!

pipeline: I am not using any modules - just directly specifying my input from the PubSub GCP topic. The only way I was able to add GeoIP info to my log events was by using the 'parameters:pipeline' key. The geoip pipeline was just ignored if I used the 'pipeline' per documentation ...
yes, correct - I'm writing both filebeat data (events read from PubSub) and filebeat metrics into the same ES cluster
I can't try username/pwd instead of an API key for now - as I am not an Administrator for the ES cloud cluster, I only have the API key given to me. Will try to work this out as the next option to try. BTW, I am also trying to set all this up locally on my laptop - but with the crazy default security in ES8 now - it's very hard to get working. I will create a separate post for that problem, as I can't make Filebeat connect to the locally running ES8 ....
as for this question:

I'm not sure what you mean.... I am not doing any substitution, I directly specify the "normal" form of the URL in the elasticsearch.output.hosts :
ES_HOSTS = "https://my-new-es8-cluster.es.us-east4.gcp.elastic-cloud.com:9243"

However, you gave me an idea - I also have the cloud.id setting in the filebeat.yml - here is the relevant part of the yml:

# =============================== Elastic Cloud ================================
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
# ENG IBC ES
cloud.id: '${CLOUD_ID}'

# ================================== Outputs ===================================
output.console:
  enabled: false
  pretty: true

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: true
  index: "ibc-parsed-logs"
  parameters.pipeline: "geoip-info"
  hosts: ${ES_HOSTS}
  protocol: "https"
  api_key: ${ES_API_KEY}

# ============================= X-Pack Monitoring ==============================
monitoring.enabled: true
monitoring.cluster_uuid: "9PxnN-9Pxxx"

where CLOUD_ID is in the format:
"my-new-es8-cluster:dXMtZWFzdDQuZ2NwLmVxxxxxxx..."

So some internal Filebeat code must be doing this substitution of the "normal - name-based" URL to the UUID-based one seen in the logs ....

Ok, the next version of the filebeat.yml with your other suggestion, to specify the monitoring.cluster_uuid explicitly is above.

However, unfortunately, the result sis exactly the same as in the previous experiement - the same type of logs in the filebeat.log:

{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.826Z","log.logger":"monitoring","log.origin":{"file.name":"elasticsearch/client.go","file.line":99},"message":"XPack monitoring is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-19T16:19:29.827Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(monitoring(https://1e432b5236c54abf873b90358b68a930.us-east4.gcp.elastic-cloud.com:443)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.850Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":197},"message":"handle ACKs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.850Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":216},"message":"try ack index: (idx=0, i=0, seq=0)\n","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.851Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":220},"message":"no state set","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.852Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/eventloop.go","file.line":199},"message":"handle ACK took: 2.3684ms","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.853Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/ackloop.go","file.line":95},"message":"ackloop: return ack to broker loop:1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:29.853Z","log.logger":"monitoring","log.origin":{"file.name":"memqueue/ackloop.go","file.line":98},"message":"ackloop:  done send ack","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:39.558Z","log.logger":"input","log.origin":{"file.name":"input/input.go","file.line":137},"message":"Run input","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-10-19T16:19:39.743Z","log.logger":"monitoring","log.origin":{"file.name":"processing/processors.go","file.line":210},"message":"Publish event: {\n  \"@timestamp\": \"2022-10-19T16:19:39.739Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"8.4.3\",\n    \"cluster_uuid\": \"9PxnN-9PToumnPWp0L4grQ\",\n    \"type\": \"beats_stats\",\n    \"interval_ms\": 10000,\n    \"params\": {\n      \"interval\": \"10s\"\n    }\n  },\n  \"beat\": {\n    \"name\": \"5c7c0f1a019f\",\n    \"host\": \"5c7c0f1a019f\",\n    \"uuid\": \"58b729bd-d4bc-4e97-abcd-d54948bfc31c\",\n    \"type\": \"filebeat\",\n    \"version\": \"8.4.3\"\n  },\n  \"metrics\": {\n    \"beat\": {\n      \"memstats\": {\n        \"memory_total\": 59313160,\n        \"memory_alloc\": 15170848,\n        \"memory_sys\": 34423816,\n        \"gc_next\": 17808720,\n        \"rss\": 140038144\n      },\n      \"cpu\": {\n        \"user\": {\n          \"ticks\": 340,\n          \"time\": {\n            \"ms\": 340\n          }\n        },\n        \"system\": {\n          \"ticks\": 360,\n          \"time\": {\n            \"ms\": 360\n          }\n        },\n        \"total\": {\n          \"time\": {\n            \"ms\": 700\n          },\n          \"value\": 700,\n          \"ticks\": 700\n        }\n      },\n      \"runtime\": {\n        \"goroutines\": 76\n      },\n      \"info\": {\n        \"uptime\": {\n          \"ms\": 20390\n        },\n        \"ephemeral_id\": \"e6640e6f-be0b-46f1-84ab-098b54175ed3\",\n        \"name\": \"filebeat\",\n        \"version\": \"8.4.3\"\n      },\n      \"cgroup\": {\n        \"memory\": {\n          \"id\": \"/\",\n          \"mem\": {\n            \"limit\": {\n              \"bytes\": 9223372036854771712\n            },\n            \"usage\": {\n              \"bytes\": 51957760\n            }\n          }\n        },\n        \"cpu\": {\n          \"stats\": {\n

and no beats metrics indices or data in ES

Thank you!!!

ppine7 · October 19, 2022, 6:17pm

and just for the sake of completeness....

Commented out cloud.id at all in the filebeat.yml:

# =============================== Elastic Cloud ================================
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
# ENG IBC ES
#cloud.id: '${CLOUD_ID}'

# ================================== Outputs ===================================
output.console:
  enabled: false
  pretty: true

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: true
  index: "ibc-parsed-logs"
  parameters.pipeline: "geoip-info"
  hosts: ${ES_HOSTS}
  protocol: "https"
  api_key: ${ES_API_KEY}

# ============================= X-Pack Monitoring ==============================
monitoring.enabled: true
monitoring.cluster_uuid: "9PxnN-9Pxxx"

exactly the same result as above - no monitoring indices/data in ES

stephenb · October 19, 2022, 6:23pm

Can you download metricbeat... 8.4.3

Make no changes except these and run metricbeat and see what happens?
default will send system metrics but I will be curious to see if the monitoring shows up.
You could even try it from your laptop

output.elasticsearch:
  hosts: "https://my-new-es8-clust..... :9243"
  api_key: theapikey

monitoring.enabled: true

Other question did you ever run filebeat setup -e?

I guess it could be possible that your API_KEY may not have some correct permission for the monitoring data but I would expect to see errors if that was the case.

also

That looks like an environment variable I mean put the URL directly in the filebeat.yml not and Environment Variable or Keystore get rid of all variables... all hard coded...

ppine7 · October 19, 2022, 6:33pm

Ok, out of desperation, I started commenting out more stuff from my filebeat.yml - to get it closer to your version.... and found what was causing all this mess!!!!

As soon as I commented out the geoip pipeline:

# =============================== Elastic Cloud ================================
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
# ENG IBC ES
#cloud.id: '${CLOUD_ID}'

# ================================== Outputs ===================================
output.console:
  enabled: false
  pretty: true

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: true
  index: "ibc-parsed-logs"
  #parameters.pipeline: "geoip-info"
  hosts: ${ES_HOSTS}
  protocol: "https"
  api_key: ${ES_API_KEY}

# ============================= X-Pack Monitoring ==============================
monitoring.enabled: true
monitoring.cluster_uuid: "9PxnN-9Pxxx"

the filebeat metrics started being pushed to ES and I got the new index there too:

GET /_cat/indices/*monitoring*
results:
green open .monitoring-es-7-2022.10.18                   ZSLCzJRBRiS2r4qihIw71w 1 1    385 34 690.3kb 347.2kb
green open .ds-.monitoring-kibana-8-mb-2022.10.18-000001 Xvq_P_9NRiKy3hYxPwBwmQ 1 1  43220  0  22.7mb  11.3mb
green open .monitoring-beats-7-2022.10.19                3HuDjP9NTFeBRjI5ElGkVQ 1 1     84  0 798.9kb 386.7kb
green open .ds-.monitoring-es-8-mb-2022.10.18-000001     2H4hLmyGS8q2-EQfbuynQQ 1 1 318236  0 382.2mb 190.4mb
green open .monitoring-kibana-7-2022.10.18               4kofsQNNTzylE-YWoEMYXg 1 1     76  0 371.8kb 165.7kb


GET .monitoring-beats-7-2022.10.19/_search
result:
  "hits": {
    "total": {
      "value": 88,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": ".monitoring-beats-7-2022.10.19",
        "_id": "Fkd48YMBgEVm2LhbFsxT",
        "_score": 1,
        "_source": {
          "timestamp": "2022-10-19T18:18:42.617Z",
          "interval_ms": 10000,
          "cluster_uuid": "9PxnN-9Pxxx",
          "type": "beats_stats",
          "beats_stats": {
            "beat": {
              "uuid": "c8eccb7e-f287-4e23-8f58-4af91ccb1a8d",
              "type": "filebeat",
              "version": "8.4.3",
              "name": "54a5f02bc902",
              "host": "54a5f02bc902"
            },
            "metrics": {
              "beat": {
                "cgroup": {
                  "cpu": {
                    "id": "/",
                    "cfs": {
                      "period": {
                        "us": 100000
  ...

So I'm happy I see the monitoring data now - BUT, I need them both ... .... monitoring and GEO-enriched events!

Any idea how to do that?

thanks you!!
Marina

stephenb · October 19, 2022, 6:38pm

Hooorayyy!!

We can fix the pipeline

I need to your entire filebeat.yml including the whole input section... I have other stuff to do ... I will look at it bit later...

Also I see you are writing to a different index name

try taking that index name out...

and put in

pipeline: "geoip-info"

See what happens

====

Also a sample log line that is NOT being processed by the "geoip-info" that you want

Also I want to see the "geoip-info" pipeline

I can show you how to simulate etc... Technically we should open a new thread

====
Pretty sure this is the problem.. see here you were putting stuff in the parameters of the monitoring collection ... probably breaking it.

stephenb · October 19, 2022, 6:51pm

Also one more thing... you can define the pipeline in the input try that putting

filebeat.inputs:
- type: gcp-pubsub
  project_id: my-gcp-project-id
  topic: vpc-firewall-logs-topic
  subscription.name: filebeat-vpc-firewall-logs-sub
  credentials_file: ${path.config}/my-pubsub-subscriber-credentials.json
  pipeline: "geoip-info"

ppine7 · October 19, 2022, 8:27pm

Thank you, Stephen!!!
Yes, you were right - I should have check out that tip about the geoip pipeline you gave me earlier - probably would have saved us some pain

And yea, probably I should open a new thread - as we know what is the issue with metircs not getting indexed. I will do that - but before, I have to get my local setup working, as it is getting more and more difficult for me to experiment with a cloud deployment that is not mine and I do not have all the rights to modify ... So I will post a new question abut that specifically, and then - onto the GEOIP

But the info you asked for - I'll do it here too , just in case something very obvious jumps out just by looking at it..

Here is my full filebeat.yml:

###################### Filebeat Configuration Example #########################

queue.mem:
  events: 4096
  flush.min_events: 2048
  flush.timeout: 1s

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: gcp-pubsub
  enabled: true
  project_id: ${PROJECT_ID}
  topic: ${PUBSUB_INPUT_TOPIC}
  subscription.name: ${SUBSCRIPTION_NAME}
  fields_under_root: true

# ======================= Elasticsearch template setting =======================
setup.template.name: "ibc-parsed-logs"
setup.template.pattern: "ibc-parsed-logs-*"
setup.template.json.enabled: true
setup.template.json.path: "ibc_es_template.json"
setup.template.json.name: "ibc-parsed-logs-template"
setup.template.enabled: true
setup.ilm.enabled: false

# =============================== Elastic Cloud ================================
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
# ENG IBC ES
#cloud.id: '${CLOUD_ID}'

# ================================== Outputs ===================================
output.console:
  enabled: false
  pretty: true

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: true
  index: "ibc-parsed-logs"
  #parameters.pipeline: "geoip-info"
  hosts: ${ES_HOSTS}
  protocol: "https"
  api_key: ${ES_API_KEY}

# ============================= X-Pack Monitoring ==============================
monitoring.enabled: true
monitoring.cluster_uuid: "9PxnN-9Pxxx"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - decode_json_fields:
      fields: ["message"]
      add_error_key: true
      document_id: "event_uuid"

# ================================== Logging ===================================
logging.metrics.enabled: true
logging.enabled: true
logging.level: debug
logging.to_files: true
logging.files:
  path: /usr/share/filebeat/f_logs
  name: filebeat
  keepfiles: 10
  permissions: 0640

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
logging.selectors: ["*"]

and here is the geoip pipeline created in ES:

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "message.remote_ip",
        "target_field": "message.remote_ip_geo",
        "ignore_missing": true
      }
    }
  ]
}

You asked:

Yes, there was a lot of pain and suffering involved in getting the full pipeline working, because I needed 3 things to work together:

add GEO info to my events
define ILM policy to rotate the target indices on a daily bases
make sure that enriched events are indexed into correct ILM-covered index

the #2 and #3 together - were hard to get working. I was getting errors when specifying index names with dates in them directly, similar to:

"index.lifecycle.rollover_alias [ibc-parsed-logs] does not point to index [ibc-parsed-logs-2021.09.23]"

and the only solution that worked - was to use the alias name used in the ILM policy as the destination for the elasticsearch output in Filebeat ..... So that's the history of why the config for the ES output is the way it is.

and if it helps - here is the ILM policy that I defined:

GET _ilm/policy/ibc-parsed-logs-ilm

output:
{
  "ibc-parsed-logs-ilm" : {
    "version" : 3,
    "modified_date" : "2021-09-29T16:39:23.368Z",
    "policy" : {
      "phases" : {
        "warm" : {
          "min_age" : "7d",
          "actions" : {
            "set_priority" : {
              "priority" : 50
            }
          }
        },
        "cold" : {
          "min_age" : "11d",
          "actions" : {
            "searchable_snapshot" : {
              "snapshot_repository" : "found-snapshots",
              "force_merge_index" : true
            },
            "set_priority" : {
              "priority" : 0
            }
          }
        },
        "hot" : {
          "min_age" : "0ms",
          "actions" : {
            "rollover" : {
              "max_primary_shard_size" : "50gb",
              "max_age" : "12h"
            },
            "set_priority" : {
              "priority" : 100
            }
          }
        },
        "delete" : {
          "min_age" : "30d",
          "actions" : {
            "delete" : {
              "delete_searchable_snapshot" : true
            }
          }
        }
      }
    },
    "in_use_by" : {
      "indices" : [
        "ibc-parsed-logs-2022.07.10-000388",
         ...
        "ibc-parsed-logs-2022.09.13-000474",
        "ibc-parsed-logs-2022.09.21-000490",
        "ibc-parsed-logs-2022.09.28-000504",
        "ibc-parsed-logs-2022.09.28-000503",
        "ibc-parsed-logs-2022.10.11-000529"
      ],
      "data_streams" : [ ],
      "composable_templates" : [ ]
    }
  }
}

Hopefully this is good info
And I will start working on creating the new question for the local setup - as I feel screwing around with ILM/ ES output and geoip pipelines will require me to have full access to the ES cluster.

Thank you again for your help!
Marina

stephenb · October 19, 2022, 8:55pm

Lets leave the index names / ILM etc as you have it working (there were perhaps other ways to do that but it looks good if it is doing what you want)

Regarding the Pipeline you would want read / write access to the Kibana Dev Tools if you have that we can probably make it work.

ppine7:

filebeat.inputs:
- type: gcp-pubsub
  enabled: true
  project_id: ${PROJECT_ID}
  topic: ${PUBSUB_INPUT_TOPIC}
  subscription.name: ${SUBSCRIPTION_NAME}
  fields_under_root: true
  pipeline: "geoip-info"

I suspect it is not getting executed for another reason...
I have my suspicions...

So open a new thread ... put the Pipeline in it and a sample message that you thought that should go through the pipeline...

ppine7 · October 19, 2022, 8:59pm

will do, thank you, Stephen!

ppine7 · October 20, 2022, 2:41am

Done! For the reference - here is the follow up post/question: Filebeat monitoring metrics are "dropped" when a GEOIP pipeline is used

system · November 17, 2022, 4:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.