Filebeat S3 Input - Output Garbled

jbws · November 7, 2019, 8:53am

I have configured VPC Flow logs to ship to S3 and then an SQS message queue to notify Filebeat.
This creates records in ES but they appear like this! Any ideas?

Kaiyan_Sheng · November 7, 2019, 3:44pm

Hi @jbws, thanks for giving this a try! What version of Filebeat are you using?

jbws · November 7, 2019, 3:58pm

Version is 7.4.2 running in a container.

Config:

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

filebeat.inputs:
  - type: s3
    queue_url: zzz
    access_key_id: aaa
    secret_access_key: bbb
    visibility_timeout: 1200

cloud.id: yyy
cloud.auth: xxx

output.elasticsearch:

setup.ilm.enabled: false

Does the s3 input plugin automatically unzip .gz files?

Thanks

Kaiyan_Sheng · November 7, 2019, 4:41pm

Thanks for the info! Yeah it's because VPC logs are gz files. https://github.com/elastic/beats/pull/13980 added the support and will be released in 7.5 Filebeat.

Kaiyan_Sheng · November 7, 2019, 4:49pm

Also I just want to point out, we have a ticket to add a VPC fileset in Filebeat as well: https://github.com/elastic/beats/issues/13880

system · December 5, 2019, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.