ES 7.0.2
Am trying to view the Filebeat System New user and groups dashboard but the results are sporadic at best.
Filebeat 7.2.0 installed locally on ES instance and on remote machine to confirm. Configured to harvest /var/log/secure
Add a user and watch in Discovery and the event(s) get shipped quickly (filebeat -e -d "*") but the event may or may not turn up either in the dashboard or Discovery. Maybe an hour later but sometimes nothing.
Clean install with no load on the machine (this is the only input configured to check performance)
Ouput of
GET filebeat-*/_search?q=exists:system.auth.useradd
shows the document arrives within a few seconds but again the Discovery does not reflect this.
Is there a default post process slowing things down before it becomes available? The syslog message log seems to be available without any delay just the auth.
Timestamps look to be in sync, perhaps spoke too soon on the ingest being ok, running the filebeat debug I see the two documents being created for an adduser command. They are being sent to
filebeat-7.2.0-system-auth-pipeline
A check of the stats using
GET _nodes/stats/ingest
Shows the following under the auth pipeline (two below are the only failed entries)
have stared at this issue for hours and probably cannot see the obvious - is the geoip enrichment for the auth pipeline named something other than geoip?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.