Hello.
I'm failing to ship my syslog (located in a custom path) to elasticsearch using filebeat's system module.
My system.yml file:
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-system.html
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/mnt/drive/linux-logs/syslog"]
# Use journald to collect system logs
#var.use_journald: false
# Authorization logs
auth:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Use journald to collect auth logs
#var.use_journald: false
Running sudo filebeat setup --pipelines --modules system
resutls in Exiting: module system is configured but has no enabled filesets
Thanks for your help in advance and my apologies if this is an inappropriate question.
Do you have a copy of the file system.yml in modules.d or any other .yml in that directory because they all get concatenated... so if you have another one and it is disabled, that can cause this error.
did you use the following command?
filebeat modules enable system
And BTW I recommend running
filebeat setup -e so all the proper components get loaded
Also why are you running with sudo you should not need to
Thank you for the response.
My filebeat version is filebeat version 8.17.0 (arm64), libbeat 8.17.0 [092f0eae4d0d343cc3a142f671c2a0428df67840 built 2024-12-11 11:10:39 +0000 UTC].
The system module is enabled in my system.
I also have the suricata module enabled (and its .yml file is in the directory) but its structure is standard and the module is working properly.
I did run the filebeat setup -e command and have found {"log.level":"info","@timestamp":"2025-02-18T08:39:17.616+0200","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":136},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}.
All my indices in elasticsearch are formatted as logstash-year.month.day (even though I'm not using logstash) and appear to not include any references to syslog.
I have actually discovered that the logs are in fact being shipped but under a different index .ds-filebeat-8.17.0-timestamp. I will not be opening an issue on this matter as this was an error on my side. Thank you for the assistance.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.