Filebeat not sending JSON to file

analog_memories · April 13, 2018, 3:41pm

Hello everyone,
I am trying to send a JSON formatted file to file for troubleshooting. I can see in the filebeat log that the file is being harvested, but nothing is being outputed to file.
Here is my filebeat.yml:

filebeat.prospectors:
- type: log
  paths: 
    - "C:/logs/info/*registry2json.json"
  json.keys_under_root: true
  json.add_error_key: true
  json.messsage_key: message
  tags: registry_json
  clean_removed: true

output.file:
  path: 'C:/logs/temp'
  filename: filebeat
  codec.json:
    pretty: true

Here is a sample of my single line JSON file:

{"ComputerName":"computer1","alignedServer":"server1","appVersion":"18.0.27.255","MSWindowsVersion":"10.0","MAC":"70-00-00-00-00-00","date":"04/13/2018 10:08:30","HKLM":{"HKLM\\Software\\company\\hrbu":{"Habitat":"QA","LANTaxServer":"server1", }}

The file I am trying to prospect is From all that I have read in the documentation, this should be working.

Any help would be greatly appreciated

andrewkroh · April 13, 2018, 4:22pm

The JSON you posted in invalid. But even so Filebeat will send an event saying:

  "error": {
    "message": "Error decoding JSON: EOF",
    "type": "json"
  },

What Filebeat version are you testing this with? Each time you run the test you'll likely want to remove the registry file (./data/registry) that gets created so that it re-reads the input file from the start.

analog_memories · April 13, 2018, 4:31pm

Thank you for your reply Andrew.

Currently using 6.2.3.

The JSON I posted is just a very small sample of the complete file. I have verified that the full file is is valid in JSONlint.

I forgot to add, as part of a process that runs on our systems, the JSON file is deleted and recreated every 90 minutes. That is why I have the clean_removed enabled. Does that not do the same as delete the registry file but just for that specific file?

Thanks

andrewkroh · April 13, 2018, 4:41pm

As a troubleshooting step I would do a test to see if the output file is populated at all after removing the registry manually. You could also try the console output to see if that works (since you said that it is harvesting but there's no output).

Adding some debug logging could be useful too. In your config file:

logging.level: debug

analog_memories · April 13, 2018, 4:55pm

Just to be sure, the registry file was deleted and the filebeat service started again. Still no luck.

I have also tried the console route, again, no luck.

I have debug mode on, and the filebeat log shows:
"
2018-04-13T11:45:06.835-0500 INFO crawler/crawler.go:48 Loading Prospectors: 1
2018-04-13T11:45:06.835-0500 DEBUG [registrar] registrar/registrar.go:150 Starting Registrar
2018-04-13T11:45:06.835-0500 DEBUG [processors] processors/processor.go:49 Processors:
2018-04-13T11:45:06.835-0500 DEBUG [prospector] log/config.go:178 recursive glob enabled
2018-04-13T11:45:06.835-0500 DEBUG [prospector] log/prospector.go:120 exclude_files: []. Number of stats: 0
2018-04-13T11:45:06.835-0500 DEBUG [prospector] log/prospector.go:141 Prospector with previous states loaded: 0
2018-04-13T11:45:06.835-0500 INFO log/prospector.go:111 Configured paths: [C:\logs\info*registry2json.json]
2018-04-13T11:45:06.835-0500 DEBUG [prospector] prospector/prospector.go:87 Starting prospector of type: log; ID: 14027404898239784573
2018-04-13T11:45:06.835-0500 DEBUG [prospector] log/prospector.go:147 Start next scan
2018-04-13T11:45:06.835-0500 DEBUG [cfgfile] cfgfile/reload.go:95 Checking module configs from: C:\beats\filebeat/modules.d/*.yml
2018-04-13T11:45:06.836-0500 DEBUG [cfgfile] cfgfile/reload.go:109 Number of module configs found: 0
2018-04-13T11:45:06.836-0500 INFO crawler/crawler.go:82 Loading and starting Prospectors completed. Enabled prospectors: 1
2018-04-13T11:45:06.836-0500 INFO cfgfile/reload.go:127 Config reloader started
2018-04-13T11:45:06.836-0500 DEBUG [cfgfile] cfgfile/reload.go:151 Scan for new config files
2018-04-13T11:45:06.836-0500 DEBUG [cfgfile] cfgfile/reload.go:170 Number of module configs found: 0
2018-04-13T11:45:06.836-0500 INFO cfgfile/reload.go:219 Loading of config files completed.
2018-04-13T11:45:06.836-0500 DEBUG [prospector] log/prospector.go:361 Check file for harvesting: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.836-0500 DEBUG [prospector] log/prospector.go:434 Start harvester for new file: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.837-0500 DEBUG [harvester] log/harvester.go:447 Setting offset for file based on seek: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.837-0500 DEBUG [harvester] log/harvester.go:433 Setting offset for file: C:\logs\info\09280-3PARTY-X0_registry2json.json. Offset: 0
2018-04-13T11:45:06.837-0500 DEBUG [harvester] log/harvester.go:348 Update state: C:\logs\info\09280-3PARTY-X0_registry2json.json, offset: 0
2018-04-13T11:45:06.837-0500 DEBUG [prospector] file/state.go:82 New state added for C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.837-0500 DEBUG [prospector] log/prospector.go:168 Prospector states cleaned up. Before: 1, After: 1
2018-04-13T11:45:06.837-0500 DEBUG [registrar] registrar/registrar.go:200 Processing 1 events
2018-04-13T11:45:06.837-0500 INFO log/harvester.go:216 Harvester started for file: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.837-0500 DEBUG [prospector] file/state.go:82 New state added for C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:06.837-0500 DEBUG [registrar] registrar/registrar.go:193 Registrar states cleaned up. Before: 1, After: 1
2018-04-13T11:45:06.837-0500 DEBUG [registrar] registrar/registrar.go:228 Write registry file: C:\ProgramData\filebeat\registry
2018-04-13T11:45:06.837-0500 DEBUG [harvester] log/log.go:85 End of file reached: C:\logs\info\09280-3PARTY-X0_registry2json.json; Backoff now.
2018-04-13T11:45:06.840-0500 DEBUG [registrar] registrar/registrar.go:253 Registry file updated. 1 states written.
2018-04-13T11:45:07.845-0500 DEBUG [harvester] log/log.go:85 End of file reached: C:\logs\info\09280-3PARTY-X0_registry2json.json; Backoff now.
2018-04-13T11:45:09.848-0500 DEBUG [harvester] log/log.go:85 End of file reached: C:\logs\info\09280-3PARTY-X0_registry2json.json; Backoff now.
2018-04-13T11:45:13.858-0500 DEBUG [harvester] log/log.go:85 End of file reached: C:\logs\info\09280-3PARTY-X0_registry2json.json; Backoff now.
2018-04-13T11:45:16.841-0500 DEBUG [prospector] prospector/prospector.go:124 Run prospector
2018-04-13T11:45:16.841-0500 DEBUG [prospector] log/prospector.go:147 Start next scan
2018-04-13T11:45:16.841-0500 DEBUG [prospector] log/prospector.go:361 Check file for harvesting: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:16.841-0500 DEBUG [prospector] log/prospector.go:447 Update existing file for harvesting: C:\logs\info\09280-3PARTY-X0_registry2json.json, offset: 0
2018-04-13T11:45:16.841-0500 DEBUG [prospector] log/prospector.go:499 Harvester for file is still running: C:\logs\info\09280-3PARTY-X0_registry2json.json
2018-04-13T11:45:16.841-0500 DEBUG [prospector] log/prospector.go:168 Prospector states cleaned up. Before: 1, After: 1
2018-04-13T11:45:21.866-0500 DEBUG [harvester] log/log.go:85 End of file reached: C:\logs\info\09280-3PARTY-X0_registry2json.json; Backoff now.
2018-04-13T11:45:26.850-0500 DEBUG [prospector] prospector/prospector.go:124 Run prospector
2018-04-13T11:45:26.850-0500 DEBUG [prospector] log/prospector.go:147 Start next scan
"

wash, rinse, repeat.

What is strange is I can harvest other log files with no issue from the same directory with the same permissions, but this file will not.

Thanks

analog_memories · April 16, 2018, 3:00pm

Bump for viability.

steffens · April 16, 2018, 5:03pm

Are the json events split by newlines? Filebeat still requires a newline symbol per event. The log messages say the offset is still 0, while the reader is at the end of the file. It might be the case the file contents is still buffered, waiting for the newline in order to forward the raw contents to the JSON parser.

analog_memories · April 16, 2018, 7:52pm

Steffens,

No, there is no new lines as the file is all one line JSON. The file does not include a new line at the end of the file.

I just added the new line, and boom, data was sent.

Thanks for the help everyone!

system · May 14, 2018, 7:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.