Filebeat -> sends to Logstash -> sends to Elastic Search
I expected that once I turned off / stop the filebeat service from running - Logstash won't receive logs from it, and thus no inputs ingested in Elastic.
Yet even after stopping the service and monitoring for an hour - I can see logs coming in from that server.
I would expect the filebeat service to be machine based and not per user right?
You're right that filebeat as a service is usually setup on a machine basis. What is probably happening is maybe a manual filebeat process is still running somewhere. You can see what's running on your system (if unix based) with:
ps -aux | grep filebeat
The first command is going to list out all your processes and then pipe it to grep that will then return all filebeat processes with the name filebeat.
Hopefully you'll see a bunch of processes listed. If you only see one that says at the end "--color=auto filebeat" that means that machine isn't running any filebeat.
The other thing I'd double check is in kibana to make sure that some other host isn't sending data as well.
If you are still only seeing data come in from that host. A more drastic option, if you are able to, is to try safely powering down the filebeat host. If data is still coming in you'll know it's coming in from somewhere else. Good luck.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
