Filebeat stops sending logs

abhisek · July 20, 2017, 10:43am

Hi ,
I have elastic search, logstash, kibana installed and configured on a single server and filebeat installed on another.

After configuring filebeat when i start filebeat it gets started, and one can see logs coming on kibana, but only for 1 second.

after that no logs are being loaded.

Xavy · July 20, 2017, 11:39am

Have you checked filebeat logs? If nothing shows there, just try increasing Beats verbosity

abhisek · July 20, 2017, 12:38pm

Hi Xavy
thanks for the reply

My logs looks like this :

>  2017-07-20T17:28:30+05:30 INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
> 2017-07-20T17:28:30+05:30 INFO Setup Beat: filebeat; Version: 5.5.0
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled. Reading template file: /etc/filebeat/filebeat.template.json
> 2017-07-20T17:28:30+05:30 INFO Metrics logging every 30s
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: /etc/filebeat/filebeat.template-es2x.json
> 2017-07-20T17:28:30+05:30 INFO Loading template enabled for Elasticsearch 6.x. Reading template file: /etc/filebeat/filebeat.template-es6x.json
> 2017-07-20T17:28:30+05:30 INFO Elasticsearch url: http://xx.x.x.xxx:9200
> 2017-07-20T17:28:30+05:30 INFO Activated elasticsearch as output plugin.
> 2017-07-20T17:28:30+05:30 INFO Publisher name: xxxxx.xxx.net
> 2017-07-20T17:28:30+05:30 INFO Flush Interval set to: 1s
> 2017-07-20T17:28:30+05:30 INFO Max Bulk Size set to: 50
> 2017-07-20T17:28:30+05:30 INFO filebeat start running.
> 2017-07-20T17:28:30+05:30 INFO Registry file set to: /var/lib/filebeat/registry
> 2017-07-20T17:28:30+05:30 INFO Loading registrar data from /var/lib/filebeat/registry
> 2017-07-20T17:28:30+05:30 INFO States Loaded from registrar: 8
> 2017-07-20T17:28:30+05:30 INFO Loading Prospectors: 1
> 2017-07-20T17:28:30+05:30 INFO Prospector with previous states loaded: 8
> 2017-07-20T17:28:30+05:30 INFO Starting prospector of type: log; id: 17005676086519951868
> 2017-07-20T17:28:30+05:30 INFO Loading and starting Prospectors completed. Enabled prospectors: 1
> 2017-07-20T17:28:30+05:30 INFO Start sending events to output
> 2017-07-20T17:28:30+05:30 INFO Starting Registrar
> 2017-07-20T17:28:30+05:30 INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
> 2017-07-20T17:29:00+05:30 INFO Non-zero metrics in the last 30s: publish.events=8 registrar.states.current=8 registrar.states.update=8 registrar.writes=1
> 2017-07-20T17:29:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:30:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:30:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:31:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:31:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:32:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:32:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:33:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:33:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:34:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:34:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:35:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:35:30+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:36:00+05:30 INFO No non-zero metrics in the last 30s
> 2017-07-20T17:36:30+05:30 INFO No non-zero metrics in the last 30s

steffens · July 20, 2017, 1:06pm

The log is basically empty (just one batch of 8 events published?)

can you share your filebeat configuration. Please use the </> button for logs and config files (preserves layout). Have you configured all files you want to ship?

Also check the registry file offsets.

Enable debug mode in config file or by starting filebeat with -d "*".

abhisek · July 21, 2017, 4:56am

Thanks for your response

Here is my config file.

filebeat.prospectors:

- input_type: log

  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  #exclude_lines: ["^DBG"]

  #include_lines: ["^ERR", "^WARN"]

  #exclude_files: [".gz$"]

  #fields:
  #  level: debug
  #  review: 1

  ### Multiline options

  #multiline.pattern: ^\[

  #multiline.negate: false

  #multiline.match: after


#================================ General =====================================

#name:

#tags: ["service-X", "web-tier"]

#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["x.x.x.xxx:9200"]

  template.name: "filebeat"
  template.path: "/etc/filebeat/filebeat.template.json"
  template.overwrite: true

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

 
#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

[{"source":"/var/log/ipaupgrade.log","offset":8691,"FileStateOS":{"inode":240419,"device":2049},"timestamp":"2017-07-20T17:28:35.31056278+05:30","ttl":-1},{"source":"/var/log/openlmi-install.log","offset":25848,"FileStateOS":{"inode":846637,"device":2049},"timestamp":"2017-07-20T17:28:35.310564476+05:30","ttl":-1},{"source":"/var/log/sa-update.log","offset":0,"FileStateOS":{"inode":46490,"device":2049},"timestamp":"2017-07-20T17:28:35.310565078+05:30","ttl":-1},{"source":"/var/log/wpa_supplicant.log","offset":1200,"FileStateOS":{"inode":3824974,"device":2049},"timestamp":"2017-07-20T17:28:35.310565705+05:30","ttl":-1},{"source":"/var/log/yum.log","offset":0,"FileStateOS":{"inode":3861530,"device":2049},"timestamp":"2017-07-20T17:28:35.310566248+05:30","ttl":-1},{"source":"/var/log/Xorg.0.log","offset":17649,"FileStateOS":{"inode":44081,"device":2049},"timestamp":"2017-07-20T17:28:35.310566724+05:30","ttl":-1},{"source":"/var/log/Xorg.1.log","offset":8372,"FileStateOS":{"inode":14039284,"device":2049},"timestamp":"2017-07-20T17:28:35.310567275+05:30","ttl":-1},{"source":"/var/log/boot.log","offset":13831,"FileStateOS":{"inode":2752,"device":2049},"timestamp":"2017-07-20T17:28:35.310567799+05:30","ttl":-1}]

steffens · July 21, 2017, 2:01pm

enable the logging.level: debug line, to enable debug logging.

I can not check the registry file for you, but you can use it to check if all files are mentioned and if offset is actually at end of file or somewhere at the beginning middle. Having a registry file and no filters hints data have been actually send.

sockaddr_in · July 24, 2017, 2:40pm

I have a problem, so where is the registry file? How do you find de registry file? Thank you!

andrewkroh · July 24, 2017, 5:13pm

It's normally at /var/lib/filebeat/registry.

system · August 21, 2017, 5:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat still sending logs even if service is stopped Beats filebeat	2	511	March 24, 2023
Logstash and Filebeat on Windows Kibana	8	315	July 7, 2023
Filebeat only sends logs on service restart Beats filebeat	2	860	July 5, 2017
Filebeat not seeing fileupdates Beats	3	697	July 5, 2017
Filebeat stops processing files after 1 or 2 days issue Beats filebeat	5	697	November 21, 2016

Filebeat stops sending logs

Related Topics