Filebeat neither sending updated logs to AWS elastic search nor updating it's own logs

I have configured filebeat(version 7.1.1) on my system to send logs to AWS Elastic Search but it is not doing following two things appropriately:

  1. Updating it's own log file at /var/log/filebeat, and
  2. Sending the updated logs from /var/log/*logs to AWS ES

Issue 1: When I run sudo service filebeat restart it does not update logs files. I tried running filebeat -c /etc/filebeat/filebeat.yml to update the log files. When I run this command the terminal hangs and I have to manually close the terminal and start a new session. Filebeat logs get updated after this.

Issue 2: The log files are sent only the first time and then it never gets updated. When I do curl XGET aws_elasticsearch_domain it only returns the logs sent for the first time.I checked the Kibana dashboard as well and it only has the logs from the first time.

As per my current /var/log/filebeat/filebeat log file the connection to ES was successful and the logs were send but I still cannot see the updated logs on Kibana or through curl -XGET*:*.


- type: log
  enabled: true
    - /var/log/*.log
  scan_frequency: 5s
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

  index.number_of_shards: 1

  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

  hosts: [""]
  bulk_max_size: 2
  timeout: 180

  host: [""]
  path: /_plugin/kibana

Hello, thanks for reaching out. I'm curious what operating system is running on the system that has filebeat on it? I've seen issues with RHEL & CentOS 7.x where logs from beats end up in journald.

You may want to run the following command to see if logs are in journald.

journalctl -u filebeat.service

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.