Filebeat not connecting to logstash server with no error logs

Houss · August 9, 2024, 7:24am

Hi,

I know the title will sound generic but I'm facing a new problem I've never encountered in the past.

I have a filebeat installed on an exchange server, and everything works fine : filebeat establish a connection to logstash, and send logs.
I have installed filebeat on another server, with the same .yml file, same certificates, same logs file path, but filebeat doesn't establish a connection with my logstash server, and the logs don't say why at all, even in debug mode. Both servers can ping and tnc to my logstash server on 5043 port.

Here's my .yml file, even though it's the same as with the working server

filebeat.inputs:
- type: filestream
  id: exchange-trackinglog
  enabled: true
  paths:
    - D:\Exchange Server\V15\TransportRoles\Logs\*.LOG
  fields:
    service.name : exchange-trackinglog
    service.type : exchange
    service.environment : prod 
  fields_under_root: true
  exclude_lines : ["^#"]

output.logstash:
  hosts: ["xxxxx:5043"]
  ssl.certificate_authorities: "C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/avem_cacert.crt"
  ssl.certificate: "C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/logstash-client-_certificate.pem"
  ssl.key: "C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/logstash-client--key8.pem"

logging.to_files: true
logging.files:
   path: C:\Program Files\Filebeat\filebeat-8.14.3-windows-x86_64\Logs

Here are the logs of the working filebeat :

{"log.level":"info","@timestamp":"2024-08-06T09:50:39.190+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64] Config path: [C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64] Data path: [C:\\ProgramData\\filebeat] Logs path: [C:\\ProgramData\\filebeat\\logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.195+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: 78000e99-6c93-4c79-b9cd-03ef88aaac18","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.203+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1370},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64","data":"C:\\ProgramData\\filebeat","home":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64","logs":"C:\\ProgramData\\filebeat\\logs"},"type":"filebeat","uuid":"78000e99-6c93-4c79-b9cd-03ef88aaac18"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.203+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1379},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"71819961045386b23edc18455f1b54764292816c","libbeat":"8.14.3","time":"2024-07-08T22:05:44.000Z","version":"8.14.3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.203+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1382},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":8,"version":"go1.21.12"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.209+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1388},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","native_architecture":"","boot_time":"2024-06-12T21:58:18+02:00","name":"swexc101pb","ip":["10.119.196.143","fe80::ede4:edfc:951e:7875","169.254.2.46","::1","127.0.0.1","fe80::5efe:a77:c48f","fe80::5efe:a9fe:22e"],"kernel_version":"10.0.14393.6981 (rs1_release.240503-1859)","mac":["00:50:56:b2:63:28","02:4d:2d:0e:08:e4","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.6981"},"timezone":"CEST","timezone_offset_sec":7200,"id":"79231719-5ed9-4958-8199-0a753f0eb361"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.209+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1417},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"C:\\Windows\\system32","exe":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64\\filebeat.exe","name":"filebeat.exe","pid":42112,"ppid":852,"start_time":"2024-08-06T09:50:38.560+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.209+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":339},"message":"Setup Beat: filebeat; Version: 8.14.3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.223+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: SWEXC101PB","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.224+0200","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":136},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-08-06T09:50:39.224+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).setupPipelineLoaderCallback","file.name":"beater/filebeat.go","file.line":193},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.224+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":525},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.224+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).snapshotLoop","file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.228+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/statestore/backend/memlog.openStore","file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for 'C:\\ProgramData\\filebeat\\registry\\filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.230+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/statestore/backend/memlog.openStore","file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for 'C:\\ProgramData\\filebeat\\registry\\filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-08-06T09:50:39.230+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).Run","file.name":"beater/filebeat.go","file.line":331},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.230+0200","log.logger":"input","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/shipper.NewInputManager","file.name":"shipper/input.go","file.line":55},"message":"creating new InputManager","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.231+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).loadStates","file.name":"registrar/registrar.go","file.line":107},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.231+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.231+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.exclude_lines.0 filebeat.inputs.0.fields.service.environment filebeat.inputs.0.fields.service.name filebeat.inputs.0.fields.service.type filebeat.inputs.0.fields_under_root filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.639+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 9116355572603324195)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.639+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.639+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":121},"message":"Input 'filestream' starting","service.name":"filebeat","id":"exchange-trackinglog","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.640+0200","log.logger":"metric_registry","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewInputRegistry","file.name":"inputmon/input.go","file.line":63},"message":"registering","service.name":"filebeat","input_type":"filestream","id":"exchange-trackinglog","key":"exchange-trackinglog","uuid":"3f736064-b013-4b2f-918a-5d39d4fe4685","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.745+0200","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":137},"message":"Connecting to backoff(async(tcp://xxxxx:5043))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T09:50:39.762+0200","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":145},"message":"Connection to backoff(async(tcp://xxxxx:5043)) established","service.name":"filebeat","ecs.version":"1.6.0"}

And here are the logs for the non-working filebeat (no connection to thelogstash server) :

{"log.level":"info","@timestamp":"2024-08-06T11:14:22.584+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":816},"message":"Home path: [C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64] Config path: [C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64] Data path: [C:\\ProgramData\\filebeat] Logs path: [C:\\ProgramData\\filebeat\\logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.585+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":935},"message":"Beat metadata path: C:\\ProgramData\\filebeat\\meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.586+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":824},"message":"Beat ID: f33841d1-24d9-4ac7-872f-3ae28d3fd382","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.594+0200","log.logger":"seccomp","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/common/seccomp.loadFilter","file.name":"seccomp/seccomp.go","file.line":97},"message":"Syscall filtering is only supported on Linux","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.594+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1370},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64","data":"C:\\ProgramData\\filebeat","home":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64","logs":"C:\\ProgramData\\filebeat\\logs"},"type":"filebeat","uuid":"f33841d1-24d9-4ac7-872f-3ae28d3fd382"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.595+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1379},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"71819961045386b23edc18455f1b54764292816c","libbeat":"8.14.3","time":"2024-07-08T22:05:44.000Z","version":"8.14.3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.595+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1382},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":8,"version":"go1.21.12"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.600+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1388},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","native_architecture":"","boot_time":"2024-06-11T21:58:25+02:00","name":"swexc102pa","ip":["10.119.196.146","fe80::cfe:4c19:141:2ac8","169.254.3.154","::1","127.0.0.1","fe80::5efe:a77:c492","fe80::5efe:a9fe:39a"],"kernel_version":"10.0.14393.6981 (rs1_release.240503-1859)","mac":["00:50:56:b2:5e:7c","02:bd:fc:4e:4d:d2","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.6981"},"timezone":"CEST","timezone_offset_sec":7200,"id":"c041a2f1-d23a-4525-8c1c-a7df382065e3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.601+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1417},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"C:\\Windows\\system32","exe":"C:\\Program Files\\Filebeat\\filebeat-8.14.3-windows-x86_64\\filebeat.exe","name":"filebeat.exe","pid":49064,"ppid":860,"start_time":"2024-08-06T11:14:22.354+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.601+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":339},"message":"Setup Beat: filebeat; Version: 8.14.3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.606+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":367},"message":"Initializing output plugins","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.615+0200","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.LoadCertificate","file.name":"tlscommon/tls.go","file.line":86},"message":"Loading certificate: C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/logstash-client-chartres_certificate.pem and key C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/logstash-client-chartres-key8.pem","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.615+0200","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.LoadCertificateAuthorities","file.name":"tlscommon/tls.go","file.line":234},"message":"Successfully loaded CA certificate: C:/Program Files/Filebeat/filebeat-8.14.3-windows-x86_64/avem_cacert.crt","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run","file.name":"pipeline/consumer.go","file.line":110},"message":"start pipeline event consumer","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*queueReader).run","file.name":"pipeline/queue_reader.go","file.line":49},"message":"pipeline event consumer queue reader: start","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: SWEXC102PA","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":136},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-08-06T11:14:22.616+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).setupPipelineLoaderCallback","file.name":"beater/filebeat.go","file.line":193},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.616+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":525},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).snapshotLoop","file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":287},"message":"isFile(C:\\ProgramData\\filebeat\\registry) -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"service","log.origin":{"function":"github.com/elastic/elastic-agent-libs/service.ProcessWindowsControlEvents","file.name":"service/service_windows.go","file.line":134},"message":"Windows is interactive: false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":287},"message":"isFile() -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isDir","file.name":"registrar/migrate.go","file.line":280},"message":"isDir(C:\\ProgramData\\filebeat\\registry\\filebeat) -> true","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.616+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":287},"message":"isFile(C:\\ProgramData\\filebeat\\registry\\filebeat\\meta.json) -> true","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.617+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Migrator).Run","file.name":"registrar/migrate.go","file.line":82},"message":"Registry type '1' found","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.618+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/statestore/backend/memlog.openStore","file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for 'C:\\ProgramData\\filebeat\\registry\\filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.620+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/statestore/backend/memlog.openStore","file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for 'C:\\ProgramData\\filebeat\\registry\\filebeat'. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-08-06T11:14:22.621+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).Run","file.name":"beater/filebeat.go","file.line":331},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"input","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/shipper.NewInputManager","file.name":"shipper/input.go","file.line":55},"message":"creating new InputManager","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).loadStates","file.name":"registrar/registrar.go","file.line":107},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.exclude_lines.0 filebeat.inputs.0.fields.service.environment filebeat.inputs.0.fields.service.name filebeat.inputs.0.fields.service.type filebeat.inputs.0.fields_under_root filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Run","file.name":"registrar/registrar.go","file.line":138},"message":"Starting Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.621+0200","log.logger":"scanner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileScanner).resolveRecursiveGlobs","file.name":"filestream/fswatch.go","file.line":334},"message":"recursive glob enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.621+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.newProspector","file.name":"filestream/prospector_creator.go","file.line":58},"message":"file identity is set to native","service.name":"filebeat","filestream_id":"exchange-trackinglog","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 9116355572603324195)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":106},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":121},"message":"Input 'filestream' starting","service.name":"filebeat","id":"exchange-trackinglog","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"metric_registry","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewInputRegistry","file.name":"inputmon/input.go","file.line":63},"message":"registering","service.name":"filebeat","input_type":"filestream","id":"exchange-trackinglog","key":"exchange-trackinglog","uuid":"04df5f39-3d1f-4242-8d58-37a5d77fa553","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileProspector).Run","file.name":"filestream/prospector.go","file.line":133},"message":"Starting prospector","service.name":"filebeat","id":"exchange-trackinglog","prospector":"file_prospector","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":125},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:22.622+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":229},"message":"File scan complete","service.name":"filebeat","total":0,"written":0,"truncated":0,"renamed":0,"removed":0,"created":0,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:32.622+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":125},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:32.622+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":229},"message":"File scan complete","service.name":"filebeat","total":0,"written":0,"truncated":0,"renamed":0,"removed":0,"created":0,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:42.623+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":125},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-08-06T11:14:42.623+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":229},"message":"File scan complete","service.name":"filebeat","total":0,"written":0,"truncated":0,"renamed":0,"removed":0,"created":0,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-08-06T11:14:52.618+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":187,"time":{"ms":187}},"total":{"ticks":265,"time":{"ms":265},"value":265},"user":{"ticks":78,"time":{"ms":78}}},"info":{"ephemeral_id":"d1d7bf64-785f-455e-a980-99ef2eb4980c","name":"filebeat","uptime":{"ms":30165},"version":"8.14.3"},"memstats":{"gc_next":33902648,"memory_alloc":17025256,"memory_sys":41217912,"memory_total":35281136,"rss":68431872},"runtime":{"goroutines":29}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"logstash","write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":0,"events":{"active":0},"queue":{"max_events":3200}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":8},"handles":{"open":202}}},"ecs.version":"1.6.0"}}

Any idea please ?

Houss · August 9, 2024, 7:27am

Adding another info :
a tcpdump command on my logstash server shows that I'm not receiving anything from the non-working filebeat server.

Houss · August 9, 2024, 7:34am

Also forgot to add that a .\filebeat.exe -e test config command says the configuration is OK

Rios · August 9, 2024, 9:23am

Most likely FB already read log, rename/remove log.json in C:\ProgramData\filebeat\ and restart FB.

{"log.level":"warn","@timestamp":"2024-08-06T11:14:22.616+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).setupPipelineLoaderCallback","file.name":"beater/filebeat.go","file.line":193},"message":"Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.","service.name":"filebeat","ecs.version":"1.6.0"}
This is not related to the problem, however if you want to send directly to ES, you will need the ingest pipelines, as is mentioned in the log.

Houss · August 9, 2024, 10:42am

Hello, thank you for your time.
I already tried to delete the registry before running filebeat. We can also see in the logs that filebeat is finding non-zero metrics after it starts, and continuously do so.

Rios · August 9, 2024, 10:59am

Which file have you deleted?

Can you add below output.logstash:
ssl.enabled: true

Run it: filebeat -e, you should see data on your screen.

Houss · August 9, 2024, 11:24am

I've deleted this folder : C:\ProgramData\filebeat\registry
I'm used to do this so filebeat can rescan all files. Again, the logs says filebeat detects non-zero metrics so I don't think that's the issue here.

I will try ssl.enabled to true, but the documentation says it's true by default Configure SSL | Filebeat Reference [8.15] | Elastic (and it's working on the oher server with the same configuration file).
Thanks,

Houss · August 9, 2024, 12:02pm

Hello again,
I've tried to add ssl.enabled: true and run filebeat -e in the command line.
The logs are exactly the same as mentionned in my original post, nowhere am I seeing a "connection established" line or an error indicating otherwise.

Thanks,

Rios · August 9, 2024, 12:23pm

For test purpose, copy a file in another directory and change path in filebeat.yml.
Run it again: filebeat -e

By the way, you are running: .\filebeat.exe which means in Powershell, have you started PS as admin? Does the user has rights to read logs?

Houss · August 9, 2024, 1:37pm

Well, that's embarassing. The problem was that the path was indeed incorrect, it was D:\Exchange Serveurinstead of D:\Exchange Server

Thanks you were right with checking the path.
Case closed.