Filebeat status failed . Please help

manojkal · June 20, 2017, 5:25pm

filebeat.yml

filebeat:

prospectors:

- input_type: log
  paths:
    - /var/log/*.log

registry_file: /var/lib/filebeat/registry

output.elasticsearch:
hosts: ["10.8.20.138:80/es"]

output:
logstash:
hosts:
- ["10.8.20.138:5044"]
Error:
[Host1@CentOS2 filebeat]$ service filebeat status
● filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Tue 2017-06-20 10:14:05 PDT; 762ms ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Process: 3742 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat (code=exited, status=1/FAILURE)
Main PID: 3742 (code=exited, status=1/FAILURE)

Jun 20 10:14:04 CentOS2 systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Jun 20 10:14:04 CentOS2 systemd[1]: Unit filebeat.service entered failed state.
Jun 20 10:14:04 CentOS2 systemd[1]: filebeat.service failed.
Jun 20 10:14:05 CentOS2 systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jun 20 10:14:05 CentOS2 systemd[1]: start request repeated too quickly for filebeat.service
Jun 20 10:14:05 CentOS2 systemd[1]: Failed to start filebeat.
Jun 20 10:14:05 CentOS2 systemd[1]: Unit filebeat.service entered failed state.
Jun 20 10:14:05 CentOS2 systemd[1]: filebeat.service failed.

exekias · June 20, 2017, 6:43pm

Could you please check for logs under /var/log/filebeat?

manojkal · June 20, 2017, 6:54pm

[root@CentOS2 ~]# cd /var/log/filebeat
[root@CentOS2 filebeat]# ls
filebeat filebeat.1 filebeat.2 filebeat.3 filebeat.4 filebeat.5 filebeat.6

I see above

manojkal · June 20, 2017, 6:55pm

2017-06-20T10:14:04-07:00 INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017-06-20T10:14:04-07:00 INFO Setup Beat: filebeat; Version: 5.4.1
2017-06-20T10:14:04-07:00 INFO Loading template enabled. Reading template file: /etc/filebeat/filebeat.template.json
2017-06-20T10:14:04-07:00 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: /etc/filebeat/filebeat.template-es2x.json
2017-06-20T10:14:04-07:00 INFO Loading template enabled for Elasticsearch 6.x. Reading template file: /etc/filebeat/filebeat.template-es6x.json
2017-06-20T10:14:04-07:00 INFO Elasticsearch url: http://10.8.20.138:80/es
2017-06-20T10:14:04-07:00 INFO Activated elasticsearch as output plugin.
2017-06-20T10:14:04-07:00 INFO Max Retries set to: 3
2017-06-20T10:14:04-07:00 ERR failed to initialize logstash plugin as output: can not convert 'object' into 'string' accessing 'output.logstash.hosts.0' (source:'/etc/filebeat/filebeat.yml')
2017-06-20T10:14:04-07:00 CRIT Exiting: error initializing publisher: can not convert 'object' into 'string' accessing 'output.logstash.hosts.0' (source:'/etc/filebeat/filebeat.yml')
~
~

exekias · June 20, 2017, 7:06pm

Ah there it is, didn't see it in the first place. It's a YAML parsing error from your settings, hosts value for output.logstash:

As you are configuring a list it must be either: hosts: ["10.8.20.138:5044"] or:

hosts:
      - "10.8.20.138:5044"

I think you ended up with a mix of both somehow, please check if it works after correcting that

manojkal · June 20, 2017, 11:25pm

@exekias Thanks a lot. Now i see it as active . But when i see the log file
2017-06-20T13:58:02-07:00 INFO Harvester started for file: /var/log/vmware-vmsvc.2.log
2017-06-20T13:58:02-07:00 ERR Connecting error publishing events (retrying): dial tcp 10.8.20.149:5044: getsockopt: connection refused
2017-06-20T13:58:02-07:00 INFO Connected to Elasticsearch version 1.7.3
2017-06-20T13:58:02-07:00 INFO Trying to load template for client: http://10.8.20.149:80/es
2017-06-20T13:58:02-07:00 INFO Template already exists and will not be overwritten.
2017-06-20T13:58:02-07:00 WARN Can not index event (status=400): "RemoteTransportException[[es-elasticsearch-masters-1][inet[/10.42.8.185:9300]][indices:admin/create]]; nested: MapperParsingException[mapping [default]]; nested: MapperParsingException[No handler for type [keyword] declared on field [referrer]]; "
2017-06-20T13:58:02-07:00 WARN Can not index event (status=400): "RemoteTransportException[[es-elasticsearch-masters-1][inet[/10.42.8.185:9300]][indices:admin/create]]; nested: MapperParsingException[mapping [default]]; nested: MapperParsingException[No handler for type [keyword] declared on field [referrer]]; "
2017-06-20T13:58:02-07:00 WARN Can not index event (status=400): "RemoteTransportException[[es-elasticsearch-masters-1][inet[/10.42.8.185:9300]][indices:admin/create]]; nested: MapperParsingException[mapping [default]]; nested: MapperParsingException[No handler for type [keyword] declared on field [referrer]]; "
2017-06-20T13:58:02-07:00 WARN Can not index event (status=400): "RemoteTransportException[[es-elasticsearch-masters-1][inet[/10.42.8.185:9300]][indices:admin/create]]; nested: MapperParsingException[mapping [default]]; nested: MapperParsingException[No handler for type [keyword] declared on field [referrer]]; "
2017-06-20T13:58:02-07:00 WARN Can not index event (status=400): "RemoteTransportException[[es-elasticsearch-masters-1][inet[/10.42.8.185:9300]][indices:admin/create]]; nested: MapperParsingException[mapping [default]]; nested: MapperParsingException[No handler for type [keyword] declared on field [referrer]]; "
2017-06-20T13:58:0

system · July 18, 2017, 11:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.