FileBeat Sending Logs in binary format


(Saravana Kumar Pandiarajan) #1

Hi All,

I am trying to set-up a centralized log management in my infra, for this I am using Graylog. I am pushing my component logs from clients to the Graylog Server using Filebeat ( Version - 5.1.1 ). I am not sure why the logs sent by FileBeat are in binary format , as i am new with FileBeat I am not sure if I miss out anything related to the configuration.

FileBeat Configuration:

###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.full.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
# Each - is a prospector. Most options can be set at the prospector level, so
# you can use different prospectors for various configurations.
# Below are the prospector specific configurations.
- input_type: log
  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /path-to-log-file/web.log
    #- c:\programdata\elasticsearch\logs\*
  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ["^DBG"]
  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ["^ERR", "^WARN"]
  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #exclude_files: [".gz$"]
  # Optional additional fields. These field can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1
  ### Multiline options
  # Mutiline can be used for log messages spanning multiple lines. This is common
  # for Java Stack Traces or C-Line Continuation
  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
  multiline.pattern: ^\[
  # Defines if the pattern set under pattern should be negated or not. Default is false.
  multiline.negate: false
  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
  multiline.match: after
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
fields:
  env: Staging-1
#================================ Outputs =====================================
# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
#  hosts: ["graylog-server-ip:9200"]
  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["graylog-server-ip:5555"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
logging.selectors: ["*"]

FileBeat shipped data output

2W^@^@^@
2C^@^@^Céx^Ü<98>ÝnÛ6^TÇ<95>ì³{
<8e>W^[@±¤¾E @Ò¤^F<^Dm°´7M³<81><91>h<85><88>¾ Qî²ÀïµË^M{±AfìÌ<86>ìX<86><93>^UËM$R Dþþç^?αõ<93>a^X{<86>±÷Ç^]<Ì<84>â1W^\²;¨nK^A^YL<8b>^D"x%¸<82>^L<8e>d*®^DWp<82>àUû<9f>ÝÁ<9c>gís²4)1ih^R<93>º^PÁë

#####################################################################

Any suggestions will be very helpful, thanks in advance.


(Andrew Kroh) #2

That sounds like a problem with the input configuration to Graylog where it doesn't understand the format of the data from the Logstash output in Beats. I haven't used Graylog so I can't offer any help on that side.


(Saravana Kumar Pandiarajan) #3

Firstly apologies for the delay in my response and thank you much for your reply andrewkroh. It was input issue as you told, fixed it now.


(Andrew Kroh) #4

Can you please tell us how you fixed it for the benefit of others that have a similar problem.


(Saravana Kumar Pandiarajan) #5

In the updated version of Graylog, we have a option called filebeat in the Types of input. Initially i was trying with plain TCP Text option, which was the issue.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.