Filebeat service running in windows but not shipping logs

I have been expiriencing the following problem.

System Specs
Windows Server 2012 Standard
filebeat; Version: 1.2.2
I am running this package of ELK
everything is running as localhost.

so the problem is that the service is running but when a log is generated, they are not shipped to logstash until I restart filebeat service.

I ran the following command and this is my output.
beatname -c config.yml -e -d "*"

PS C:\elk\filebeat> .\filebeat.exe -c config.yml -e -d "*"
Loading config file error: Failed to read config.yml: open config.yml: The system cannot find the file specified.. Exiti
ng.
PS C:\elk\filebeat> .\filebeat.exe -c filebeat.yml -e -d "*"
2016/06/03 17:54:06.748654 beat.go:135: DBG  Initializing output plugins
2016/06/03 17:54:06.749661 geolite.go:24: INFO GeoIP disabled: No paths were set under output.geoip.paths
2016/06/03 17:54:06.769662 logstash.go:106: INFO Max Retries set to: 3
2016/06/03 17:54:06.771663 client.go:100: DBG  connect
2016/06/03 17:54:06.783664 outputs.go:126: INFO Activated logstash as output plugin.
2016/06/03 17:54:06.785663 publish.go:232: DBG  Create output worker
2016/06/03 17:54:06.787664 publish.go:274: DBG  No output is defined to store the topology. The server fields might not
be filled.
2016/06/03 17:54:06.790673 publish.go:288: INFO Publisher name: nxsclpidesa01
2016/06/03 17:54:06.802667 async.go:78: INFO Flush Interval set to: 1s
2016/06/03 17:54:06.803668 async.go:84: INFO Max Bulk Size set to: 2048
2016/06/03 17:54:06.804663 async.go:92: DBG  create bulk processing worker (interval=1s, bulk size=2048)
2016/06/03 17:54:06.806665 beat.go:147: INFO Init Beat: filebeat; Version: 1.2.2
2016/06/03 17:54:06.809663 beat.go:173: INFO filebeat sucessfully setup. Start running.
2016/06/03 17:54:06.812662 registrar.go:68: INFO Registry file set to: C:\ProgramData\filebeat\registry
2016/06/03 17:54:06.814667 registrar.go:80: INFO Loading registrar data from C:\ProgramData\filebeat\registry
2016/06/03 17:54:06.816667 service_windows.go:49: DBG  Windows is interactive: true
2016/06/03 17:54:06.816667 spooler.go:44: DBG  Set idleTimeoutDuration to 5s
2016/06/03 17:54:06.818668 crawler.go:38: DBG  File Configs: [C:\var\app\current\eg*error.log]
2016/06/03 17:54:06.820667 prospector.go:132: INFO Set ignore_older duration to 0
2016/06/03 17:54:06.821666 prospector.go:132: INFO Set close_older duration to 1h0m0s
2016/06/03 17:54:06.823672 prospector.go:132: INFO Set scan_frequency duration to 10s
2016/06/03 17:54:06.825685 prospector.go:89: INFO Invalid input type set:
2016/06/03 17:54:06.826667 prospector.go:92: INFO Input type set to: log
2016/06/03 17:54:06.829668 prospector.go:132: INFO Set backoff duration to 1s
2016/06/03 17:54:06.830692 prospector.go:132: INFO Set max_backoff duration to 10s
2016/06/03 17:54:06.832667 prospector.go:112: INFO force_close_file is disabled
2016/06/03 17:54:06.836690 crawler.go:38: DBG  File Configs: [C:\var\app\current\eg*-out.log]
2016/06/03 17:54:06.839670 prospector.go:132: INFO Set ignore_older duration to 0
2016/06/03 17:54:06.840680 prospector.go:132: INFO Set close_older duration to 1h0m0s
2016/06/03 17:54:06.842670 prospector.go:132: INFO Set scan_frequency duration to 10s
2016/06/03 17:54:06.844669 prospector.go:92: INFO Input type set to: log
2016/06/03 17:54:06.852671 prospector.go:132: INFO Set backoff duration to 1s
2016/06/03 17:54:06.854672 prospector.go:132: INFO Set max_backoff duration to 10s
2016/06/03 17:54:06.856675 prospector.go:112: INFO force_close_file is disabled
2016/06/03 17:54:06.858671 crawler.go:58: DBG  Waiting for 2 prospectors to initialise
2016/06/03 17:54:06.860674 prospector.go:142: INFO Starting prospector of type: log
2016/06/03 17:54:06.861673 prospector.go:160: DBG  exclude_files: []
2016/06/03 17:54:06.863675 prospector.go:251: DBG  scan path C:\var\app\current\eg*-out.log
2016/06/03 17:54:06.865673 prospector.go:264: DBG  Check file for harvesting: C:\var\app\current\eg-run-out.log
2016/06/03 17:54:06.884680 prospector.go:320: DBG  Start harvesting unknown file: C:\var\app\current\eg-run-out.log
2016/06/03 17:54:06.887677 registrar.go:174: DBG  Same file as before found. Fetch the state and persist it.
2016/06/03 17:54:06.888680 prospector.go:368: DBG  Resuming harvester on a previously harvested file: C:\var\app\current
\eg-run-out.log
2016/06/03 17:54:06.891676 crawler.go:71: DBG  Registrar will re-save state for C:\var\app\current\eg-run-out.log
2016/06/03 17:54:06.893684 prospector.go:251: DBG  scan path C:\var\app\current\eg*-out.log
2016/06/03 17:54:06.897681 prospector.go:264: DBG  Check file for harvesting: C:\var\app\current\eg-run-out.log
2016/06/03 17:54:06.899677 prospector.go:389: DBG  Update existing file for harvesting: C:\var\app\current\eg-run-out.lo
g
2016/06/03 17:54:06.904678 prospector.go:435: DBG  Not harvesting, file didn't change: C:\var\app\current\eg-run-out.log

A few points here:

• It seems like parts in your config file are invalid. Could you share the config file?
• Harvester finds a previously harvested file. So I assume you have run it before and it persisted the state. In case you want to reship, best is remove the registry file
• There was a bug in 1.2.2 related to file rotation. Please update to 1.2.3 to check if the problem persists.

Hi, Thanks for your help.

I have a few questions:
are you saying that I should remove the registry file from the config file or from the file system?
We don't want to reship, we want to ship the new logs which are generated in the same file, is there a way to do that?
I will update my version later we are doing some test now and we need Kibana.
Here is my config file:

Thanks Againg.

I have updated to the last version but I still having problems.

Thanks Again

If you want to send all log entries from scratch again, you need to remove the registry file from the file system. To figure out if filebeat is working correctly, please try the following steps:

• Shut down filebeat
• Remove registry file from file system
• Start Filebeat with -e -d "*"
• Report the output here

I did the steps, seems like it's working now, I am making more test, but unfortunately we can't do a real test now. maybe next week, if this thread close? what you I do? open a new one?

2016/06/17 13:25:57.362642 prospector.go:185: DBG Start next scan 2016/06/17 13:25:57.364639 prospector.go:261: DBG scan path C:\var\app\current\eg*error.log 2016/06/17 13:25:57.365639 prospector.go:275: DBG Check file for harvesting: C:\var\app\current\eg-run-error.log 2016/06/17 13:25:57.367639 registrar.go:175: DBG Same file as before found. Fetch the state. 2016/06/17 13:25:57.368636 prospector.go:418: DBG Update existing file for harvesting: C:\var\app\current\eg-run-error. log 2016/06/17 13:25:57.370642 prospector.go:465: DBG Not harvesting, file didn't change: C:\var\app\current\eg-run-error.l og 2016/06/17 13:25:58.344773 reader.go:138: DBG End of file reached: C:\var\app\current\eg-run-out.log; Backoff now. 2016/06/17 13:26:00.213009 spooler.go:97: DBG Flushing spooler because of timeout. Events flushed: 1 2016/06/17 13:26:00.215006 publish.go:109: DBG Publish: { "@timestamp": "2016-06-17T13:25:57.341Z", "beat": { "hostname": "dev-server", "name": "dev-server" }, "count": 1, "fields": null, "input_type": "log", "message": "{\"name\":\"DEVAppLog\",\"hostname\":\"dev-server\",\"pid\":12088,\"level\":30,\"msg\":\"Server listenin g on port 4434\",\"time\":\"2016-06-17T13:25:55.767Z\",\"v\":0}", "offset": 9094445, "source": "C:\\var\\app\\current\\eg-run-out.log", "type": "egoutput" } 2016/06/17 13:26:00.229004 output.go:87: DBG output worker: publish 1 events 2016/06/17 13:26:00.229999 client.go:146: DBG Try to publish 1 events to logstash with window size 270 2016/06/17 13:26:00.235013 client.go:124: DBG 1 events out of 1 events sent to logstash. Continue sending ... 2016/06/17 13:26:00.237025 single.go:135: DBG send completed 2016/06/17 13:26:00.238017 publish.go:104: INFO Events sent: 1 2016/06/17 13:26:00.239022 registrar.go:115: DBG Processing 1 events 2016/06/17 13:26:00.241021 registrar.go:146: DBG Write registry file: C:\ProgramData\filebeat\registry 2016/06/17 13:26:00.243026 registrar.go:162: INFO Registry file updated. 2 states written. 2016/06/17 13:26:00.347027 reader.go:138: DBG End of file reached: C:\var\app\current\eg-run-out.log; Backoff now.
another question? this is the first file to look at it on futures problems? I am talking about the registry.

Thank you very much for your help.

This topic was automatically closed after 21 days. New replies are no longer allowed.