Filebeat S3 Input - Output Garbled

jbws · November 7, 2019, 8:53am

I have configured VPC Flow logs to ship to S3 and then an SQS message queue to notify Filebeat.
This creates records in ES but they appear like this! Any ideas?

Kaiyan_Sheng · November 7, 2019, 3:44pm

Hi @jbws, thanks for giving this a try! What version of Filebeat are you using?

jbws · November 7, 2019, 3:58pm

Version is 7.4.2 running in a container.

Config:

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

filebeat.inputs:
  - type: s3
    queue_url: zzz
    access_key_id: aaa
    secret_access_key: bbb
    visibility_timeout: 1200

cloud.id: yyy
cloud.auth: xxx

output.elasticsearch:

setup.ilm.enabled: false

Does the s3 input plugin automatically unzip .gz files?

Thanks

Kaiyan_Sheng · November 7, 2019, 4:41pm

Thanks for the info! Yeah it's because VPC logs are gz files. https://github.com/elastic/beats/pull/13980 added the support and will be released in 7.5 Filebeat.

Kaiyan_Sheng · November 7, 2019, 4:49pm

Also I just want to point out, we have a ticket to add a VPC fileset in Filebeat as well: https://github.com/elastic/beats/issues/13880

system · December 5, 2019, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat AWS Module unable to process Logs from S3 Beats beats-module , filebeat	5	575	July 12, 2021
Mapping flow logs with ES Beats filebeat	1	191	August 4, 2023
Filebeat Parsing issue with module aws Beats beats-module , filebeat	10	555	June 4, 2021
Filebeat not ingesting logs from s3 Beats filebeat	10	1276	December 19, 2019
Filebeat 7.6.0 - AWS VPC Flowlogs - Parser Exception Beats filebeat	1	461	April 2, 2020

Filebeat S3 Input - Output Garbled

Related Topics