I didn't executed ./filebeat setup.
I have googled the error String index out of range: 0" when using include_fields processor and I have some news. I test since 2 hours, very strange issue.
When I use 7.6.1, if I change %{[beat.version]}
to %{[agent.version]}
, filebeat sends logs to elk,
I see the new index name filebeat-test-7.6.1-2020.03.19
and I see the number of documents increasing
but I can't research data for my server.
In "discover" section, I don't see my server.
I have some mapping conflict with the version of this agent but why I can't find my server ?
I already have mapping conflict with another index and I had the possibility to search with this warning.
Other test :
I have removed filebeat 7.6.1 and deleted the directories : /usr/share/filebeat/ /var/lib/filebeat/
I have installed filebeat 6.8.3 and now I can start filebeat.
It creates the index name (for a while, it's filebeat-test-2020.03.19) but I have no documents
when I run ./filebeat -e -d "*"
I don't see error, I think it sent logs to elk, here an example :
I2020-03-19T15:47:14.800+0100 DEBUG [publish] pipeline/processor.go:309 Publish event: {
"@timestamp": "2020-03-19T14:47:14.796Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.8.3",
"pipeline": "filebeat-6.8.3-system-syslog-pipeline"
},
"beat": {
"name": "server",
"hostname": "server",
"version": "6.8.3"
},
"log": {
"file": {
"path": "/var/log/messages-20200301"
}
},
"prospector": {
"type": "log"
},
"input": {
"type": "log"
},
"fileset": {
"module": "system",
"name": "syslog"
},
"event": {
"dataset": "system.syslog"
},
"host": {
"containerized": false,
"architecture": "x86_64",
"os": {
"name": "CentOS Linux",
"codename": "Core",
"platform": "centos",
"version": "8 (Core)",
"family": "redhat"
},
"id": "f42914dcfdb74052bd6026f96c682efc",
"name": "server"
},
"source": "/var/log/messages-20200301",
"offset": 11903077,
"message": "Feb 27 09:28:00 tlinf006 influxd[3833]: [httpd] 127.0.0.1 - metricsesxuser [27/Feb/2020:09:28:00 -0500] \"POST /write?db=metricsesx HTTP/1.1\" 204 0 \"-\" \"Telegraf/1.12.4\" 5b084eee-596d-11ea-b586-000c29a29d52 976"
}
Sometime, I have this :
2020-03-19T15:47:14.804+0100 DEBUG [publish] pipeline/client.go:201 Pipeline client receives callback 'onDroppedOnPublish' for event: %+v{2020-03-19 15:47:14.800702215 +0100 CET m=+12.736744087 {"pipeline":"filebeat-6.8.3-system-syslog-pipeline"} {"beat":{"hostname":"server_name","name":"server_name","version":"6.8.3"},"event":{"dataset":"system.syslog"},"fileset":{"module":"system","name":"syslog"},"host":{"architecture":"x86_64","containerized":false,"id":"f42914dcfdb74052bd6026f96c682efc","name":"server_name","os":{"codename":"Core","family":"redhat","name":"CentOS Linux","platform":"centos","version":"8 (Core)"}},"input":{"type":"log"},"log":{"file":{"path":"/var/log/messages-20200223"}},"message":"Feb 20 08:50:00 tlinf006 influxd[3833]: [httpd] 127.0.0.1 - metricsesxuser [20/Feb/2020:08:50:00 -0500] \"POST /write?db=metricsesx HTTP/1.1\" 204 0 \"-\" \"Telegraf/1.12.4\" e327b549-53e7-11ea-91fd-000c29a29d52 1332","offset":11808824,"prospector":{"type":"log"},"source":"/var/log/messages-20200223"} { false 0xc42026e340 /var/log/messages-20200223 11809035 2020-03-19 15:47:05.239440054 +0100 CET m=+3.175481921 -1ns log map[] 100902053-64768}}
2020-03-19T15:47:14.804+0100 DEBUG [publish] pipeline/client.go:201 Pipeline client receives callback 'onDroppedOnPublish' for event: %+v{2020-03-19 15:47:14.797354791 +0100 CET m=+12.733396655 null {"log":{"file":{"path":"/var/log/messages-20200308"}},"message":"Mar 5 08:13:40 tlinf006 influxd[3833]: [httpd] 127.0.0.1 - metricsesxuser [05/Mar/2020:08:13:40 -0500] \"POST /write?db=metricsesx HTTP/1.1\" 204 0 \"-\" \"Telegraf/1.12.4\" 218e9488-5ee3-11ea-9521-000c29a29d52 1161","offset":11731751,"source":"/var/log/messages-20200308"} { false 0xc42026e680 /var/log/messages-20200308 11731962 2020-03-19 15:47:05.240800594 +0100 CET m=+3.176842470 -1ns log map[] 100943419-64768}}
And when I look to elk server, I have mapping conflict. How it's possible ? I have other filebeat agent with 6.8.3 agent, so I don't understand.
Is it due to the previous installation of 7.6.1 ?
Thank you for your help.