Filebeat unable to parse JSON log(contains array) output to logstash

polaaditya · October 14, 2020, 9:31pm

My current usage Filebeat => Logstash => Elasticsearch.
Below is the error log

Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z        INFO        [publisher]        pipeline/retry.go:217          done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z        INFO        [publisher]        pipeline/retry.go:213        retryer: send wait signal to consumer
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z        INFO        [publisher]        pipeline/retry.go:217          done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.095Z        ERROR        [logstash]        logstash/async.go:280        Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.095Z        ERROR        [logstash]        logstash/async.go:280        Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z        ERROR        [logstash]        logstash/async.go:280        Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z        INFO        [publisher]        pipeline/retry.go:213        retryer: send wait signal to consumer
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z        INFO        [publisher]        pipeline/retry.go:217          done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z        ERROR        [logstash]        logstash/async.go:280        Failed to publish events caused by: client is not connected

Filebeat configuration File:

filebeat.inputs:
- type: log
  fields:
    index_env: staging
    index_name: vault
  json.keys_under_root: true
  json.overwrite_keys: false
  json.add_error_key: true
  paths:
    - /var/log/vault_audit.log
encoding: utf-8
ignore_older: 3h
#logging.level: debug
#output.file:
#  path: "/tmp/filebeat"
#  filename: filebeat.json
output.logstash:
  hosts: ["logstash.stagin.com:5044"]
  ssl.enabled: true

Logstash Configuration:

  input {
  beats {
    port => 5044
    host => "<PRIVATE_IP>"
    client_inactivity_timeout => 3000
  }
}

Below is the vault audit logs that are loading w/ Filebeat

{"time":"2020-10-14T17:01:09.100112447Z","type":"response","auth":{"token_type":"default"},"request":{"id":"5f9b4d89-d4a6-5692-b161-71356090e8bb","replication_cluster":"tvx-ch","operation":"update","mount_type":"approle","client_token":"hmac-sha256:07be5ba8f9125f92403254de7060a3dd3a21d1466bf2d64860d12be66f7fd4fc","client_token_accessor":"hmac-sha256:4a55985e0d0f8c4be17aa1129e631d02cede0cd747b0d86ebccb4f882b3684c4","namespace":{"id":"root"},"path":"auth/approle/role/modesto_xmobile/secret-id","remote_address":"172.27.155.125"},"response":{"mount_type":"approld","data":{"secret_id":"hmac-sha256:1b5fa0984871b998d3e13c9397eeaa5e493e55c3964da05a1212d3611077ba1f","secret_id_accessor":"hmac-sha256:655e120622f49a069fbd969f993d038935225f09c293822acedb3893a619a0f2"}}}

{"time":"2020-10-14T17:58:05.120449646Z","type":"request","auth":{"token_type":"default"},"request":{"id":"c87af493-d126-7057-2e96-6abf4a9caefc","replication_cluster":"tvg-ab","operation":"update","mount_type":"generic","client_token":"hmac-sha256:eff8db6b9bfabd2a4df87938c5313c81620e5dc7df5fe8ea45f5844ad89g0c88","client_token_accessor":"hmac-sha256:1ff9fd760aad2fee503cb98c0bf892dfc5eebd5b300553643ec2704c792d4fbc","namespace":{"id":"root"},"path":"secret/directoryservices/inc-residential-service/bbc-security-authserver-config-esp-prd-r3","data":{"xps.security.authServer.configs[0].endpointPatterns":"hmac-sha256:a5c1f6402142e7df0e3d1c5940f981906e6cf9eb8a996113bd3c92c3b9dc6e59","xps.security.authServer.configs[0].scopes":"hmac-sha256:e7326a67dcf53b1f744a856be4a73f380b32c3897e786af3379eda2f541debd5","xps.security.authServer.configs[0].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[0].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324","xps.security.authServer.configs[1].endpointPatterns":"hmac-sha256:bc599e6b16e57890e4247068c1cfdc7b9d1aed76313a76b828c158e3faf105b4","xps.security.authServer.configs[1].scopes":"hmac-sha256:fcc4acf36658b90fec62f9dddae83042a4ae9b430674a541a131a5d522771236","xps.security.authServer.configs[1].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[1].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324","xps.security.authServer.configs[2].endpointPatterns":"hmac-sha256:8efc977777036af1e63cd931b6ec1b5a9db32a5af8cd86fd944d9a5833919ed1","xps.security.authServer.configs[2].scopes":"hmac-sha256:e9e34d58a7d7611fb56c7b3958265f512098efeb33f6282601110121359bfc92","xps.security.authServer.configs[2].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[2].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324"},"remote_address":"127.0.0.1"}}

from the above both log lines, the filebeat was unable to load the 2nd log on to logstash but when I output to logging.files: or elasticsearch then I don't see any errors on the filebeat.

Please I need some light on solving this issue ASAP.
Thanks.
@adrisr @Badger (tagging since you have solved similar issue: Filebeat parse json)

kvch · October 21, 2020, 1:13pm

The errors you are seeing have nothing to do with JSON parsing. Filebeat is not able to connect to Logstash. Based on your configuration you have enabled SSL but failed to configure it correctly. You need to configure ssl.* settings if you would like to secure the connection between LS and FB: https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html

polaaditya · October 21, 2020, 2:45pm

@kvch Thanks for your response. I'm using AWS Loadbalancer(NLB). am seeing a successful connection test when I run tcptraceroute or telnet commands. so after removing host => "PRIVATE_IP" from the Logstash configuration, I started seeing the below errors in logstash.

Oct 21 10:41:14 ip-96-103-60-114.ec2.internal logstash[3260]: org.logstash.FieldReference$IllegalSyntaxException: Invalid FieldReference: `xsp.security.authServer.configs[0].secret`
Oct 21 10:41:16 ip-96-103-60-114.ec2.internal logstash[3260]: org.logstash.FieldReference$IllegalSyntaxException: Invalid FieldReference: `xsp.security.authServer.configs[0].username`

I might need help in getting the filters. It looks like a pretty similar issue opened on github: https://github.com/elastic/logstash/issues/11608

system · November 18, 2020, 4:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat: error json decode Beats docker , filebeat	2	373	October 27, 2021
Filebeat issue with json logs from ES audit Beats filebeat	1	439	March 16, 2022
Filebeat error while reading multiline json lines log file Beats filebeat	1	721	June 16, 2020
Filebeat collect log and output to es but occur time parse error Beats filebeat	7	785	November 20, 2020
Filebeat - ERR Failed to publish events caused by: EOF Beats filebeat	17	28098	November 26, 2016

Filebeat unable to parse JSON log(contains array) output to logstash

Related Topics