Hi ,
I have elastic search, logstash, kibana installed and configured on a single server and filebeat installed on another.
After configuring filebeat when i start filebeat it gets started, and one can see logs coming on kibana, but only for 1 second.
after that no logs are being loaded.
Have you checked filebeat logs? If nothing shows there, just try increasing Beats verbosity
Hi Xavy
thanks for the reply
My logs looks like this :
> 2017-07-20T17:28:30+05:30 INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
> 2017-07-20T17:28:30+05:30 INFO Setup Beat: filebeat; Version: 5.5.0
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled. Reading template file: /etc/filebeat/filebeat.template.json
> 2017-07-20T17:28:30+05:30 INFO Metrics logging every 30s
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: /etc/filebeat/filebeat.template-es2x.json
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled for Elasticsearch 6.x. Reading template file: /etc/filebeat/filebeat.template-es6x.json
> 2017-07-20T17:28:30+05:30 INFO Elasticsearch url: http://xx.x.x.xxx:9200
> 2017-07-20T17:28:30+05:30 INFO Activated elasticsearch as output plugin.
> 2017-07-20T17:28:30+05:30 INFO Publisher name: xxxxx.xxx.net
> 2017-07-20T17:28:30+05:30 INFO Flush Interval set to: 1s
> 2017-07-20T17:28:30+05:30 INFO Max Bulk Size set to: 50
> 2017-07-20T17:28:30+05:30 INFO filebeat start running.
> 2017-07-20T17:28:30+05:30 INFO Registry file set to: /var/lib/filebeat/registry
> 2017-07-20T17:28:30+05:30 INFO Loading registrar data from /var/lib/filebeat/registry
> 2017-07-20T17:28:30+05:30 INFO States Loaded from registrar: 8
> 2017-07-20T17:28:30+05:30 INFO Loading Prospectors: 1
> 2017-07-20T17:28:30+05:30 INFO Prospector with previous states loaded: 8
> 2017-07-20T17:28:30+05:30 INFO Starting prospector of type: log; id: 17005676086519951868
> 2017-07-20T17:28:30+05:30 INFO Loading and starting Prospectors completed. Enabled prospectors: 1
> 2017-07-20T17:28:30+05:30 INFO Start sending events to output
> 2017-07-20T17:28:30+05:30 INFO Starting Registrar
> 2017-07-20T17:28:30+05:30 INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
> 2017-07-20T17:29:00+05:30 INFO Non-zero metrics in the last 30s: publish.events=8 registrar.states.current=8 registrar.states.update=8 registrar.writes=1
> 2017-07-20T17:29:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:30:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:30:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:31:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:31:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:32:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:32:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:33:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:33:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:34:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:34:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:35:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:35:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:36:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:36:30+05:30 INFO No non-zero metrics in the last 30s
The log is basically empty (just one batch of 8 events published?)
can you share your filebeat configuration. Please use the </> button for logs and config files (preserves layout). Have you configured all files you want to ship?
Also check the registry file offsets.
Enable debug mode in config file or by starting filebeat with -d "*".
Thanks for your response
Here is my config file.
filebeat.prospectors:
- input_type: log
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
#exclude_lines: ["^DBG"]
#include_lines: ["^ERR", "^WARN"]
#exclude_files: [".gz$"]
#fields:
# level: debug
# review: 1
### Multiline options
#multiline.pattern: ^\[
#multiline.negate: false
#multiline.match: after
#================================ General =====================================
#name:
#tags: ["service-X", "web-tier"]
#fields:
# env: staging
#================================ Outputs =====================================
# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["x.x.x.xxx:9200"]
template.name: "filebeat"
template.path: "/etc/filebeat/filebeat.template.json"
template.overwrite: true
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
[{"source":"/var/log/ipaupgrade.log","offset":8691,"FileStateOS":{"inode":240419,"device":2049},"timestamp":"2017-07-20T17:28:35.31056278+05:30","ttl":-1},{"source":"/var/log/openlmi-install.log","offset":25848,"FileStateOS":{"inode":846637,"device":2049},"timestamp":"2017-07-20T17:28:35.310564476+05:30","ttl":-1},{"source":"/var/log/sa-update.log","offset":0,"FileStateOS":{"inode":46490,"device":2049},"timestamp":"2017-07-20T17:28:35.310565078+05:30","ttl":-1},{"source":"/var/log/wpa_supplicant.log","offset":1200,"FileStateOS":{"inode":3824974,"device":2049},"timestamp":"2017-07-20T17:28:35.310565705+05:30","ttl":-1},{"source":"/var/log/yum.log","offset":0,"FileStateOS":{"inode":3861530,"device":2049},"timestamp":"2017-07-20T17:28:35.310566248+05:30","ttl":-1},{"source":"/var/log/Xorg.0.log","offset":17649,"FileStateOS":{"inode":44081,"device":2049},"timestamp":"2017-07-20T17:28:35.310566724+05:30","ttl":-1},{"source":"/var/log/Xorg.1.log","offset":8372,"FileStateOS":{"inode":14039284,"device":2049},"timestamp":"2017-07-20T17:28:35.310567275+05:30","ttl":-1},{"source":"/var/log/boot.log","offset":13831,"FileStateOS":{"inode":2752,"device":2049},"timestamp":"2017-07-20T17:28:35.310567799+05:30","ttl":-1}]
enable the logging.level: debug line, to enable debug logging.
I can not check the registry file for you, but you can use it to check if all files are mentioned and if offset is actually at end of file or somewhere at the beginning middle. Having a registry file and no filters hints data have been actually send.
I have a problem, so where is the registry file? How do you find de registry file? Thank you!
It's normally at /var/lib/filebeat/registry.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.