Hi guys,

I'm trying to figure out why my filebeat is not sending information to logstach. Instead, it's sending directly to elastic.

When I go to my kibana there is only the filebeat index patter. When I access the elastich utr :http://172.26.73.113:9200/logstash-*/_search?pretty, the following result is showed (no results):

{

"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 0,
"successful" : 0,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 0,
"relation" : "eq"
},
"max_score" : 0.0,
"hits" :
}
}

Here is my Filebeat configuration:

#================================ Outputs =====================================

Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
##output.elasticsearch:

Array of hosts to connect to.

#hosts: ["172.26.73.113:9200"]

Optional protocol and basic auth credentials.

#protocol: "https"
#username: "elastic"
#password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["172.26.73.113:5044"]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

here my logstash configuration file:

input {
beats {
    port => 5044
    host => "172.26.73.113"
}

}

output {
elasticsearch {
hosts => ["172.26.73.113:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Why are you looking for a logstash-* index. You are setting the index to "%{[@metadata][beat]}-%{+YYYY.MM.dd}", which will be filebeat...

Hi @Badger,

Thank you for that. If you point, now I can see the logs into http://172.26.73.113:9200/logstash-*/_search?pretty because I've changed the index to: index => "logstash-%{+YYYY.MM.dd}"

Thank you again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.