Filebeat not sending data to elasticsearch

gigallo · July 11, 2023, 7:56pm

Hi

've installed elasticsearch 8.5 and Kibana 8.5 in my kubernetes cluster simply applying the official helm file in the elastic repo. Now I'm trying to install filebeat with the following conf:

filebeat.inputs:
    - type: container
      paths:
      - "/var/log/app.log"
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            in_cluster: true

and

output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}
      protocol: https
      ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca.crt"]

Our apps are writing logs in pod container under /var/log/app.log but it seems filebeat does not read the log or not send it to elasticsearch because no index are created in elastic.

How can I solve the problem? What am I doing wrong?

Thanks

leandrojmp · July 11, 2023, 8:34pm

Is your filebeat running? What do you have in your filebeat logs?

gigallo:

filebeat.inputs:
    - type: container
      paths:
      - "/var/log/app.log"
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            in_cluster: true

If your filebeat.yml looks like this, then it looks wrong, the indentation for the processors key is wrong, processors should be on the same column as filebeat.inputs.

gigallo · July 11, 2023, 9:46pm

Filebeat is running and there are 12 pods running.

Sorry, but I made a mistake copying and pasting my file.
This is the right one:

filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
      - "/var/log/*.log"
      json.keys_under_root: true
      json.overwrite_keys: true
      json.add_error_key: true
      json.expand_keys: true
        
    processors:
      - add_cloud_metadata:
      - add_host_metadata:
      - add_kubernetes_metadata:
            host: ${NODE_NAME}
            in_cluster: true

In filebeat logs I have a lot of errors saying:

{"log.level":"error","@timestamp":"2023-07-11T21:40:18.493Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing CRI timestamp: parsing time \"2023/06/16\" as \"2006-01-02T15:04:05.999999999Z07:00\": cannot parse \"/06/16\" as \"-\"","service.name":"filebeat","ecs.version":"1.6.0"}

No other errors are found (for example reaching elasticsearch master or something else)

Thanks

system · August 8, 2023, 11:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat doesn't send logs to elasticsearch Beats filebeat	1	170	February 28, 2024
Filebeat doesn't send logs to Elasticsearch Beats filebeat	8	2352	February 16, 2021
Filebeats doesn't send logs to Elasticsearch Beats filebeat	1	320	February 29, 2024
Error in fetching the logs Filebeat 7.3.2 Beats filebeat	5	501	February 7, 2020
How to check logs were sending to elasticsearch Beats filebeat	12	1405	May 20, 2022

Filebeat not sending data to elasticsearch

Related topics