My current usage Filebeat => Logstash => Elasticsearch.
Below is the error log
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z INFO [publisher] pipeline/retry.go:217 done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z INFO [publisher] pipeline/retry.go:213 retryer: send wait signal to consumer
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.055Z INFO [publisher] pipeline/retry.go:217 done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.095Z ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.095Z ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: EOF
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z INFO [publisher] pipeline/retry.go:213 retryer: send wait signal to consumer
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z INFO [publisher] pipeline/retry.go:217 done
Oct 14 14:07:21 vault-audit filebeat[11314]: 2020-10-13T14:07:21.096Z ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: client is not connected
Filebeat configuration File:
filebeat.inputs:
- type: log
fields:
index_env: staging
index_name: vault
json.keys_under_root: true
json.overwrite_keys: false
json.add_error_key: true
paths:
- /var/log/vault_audit.log
encoding: utf-8
ignore_older: 3h
#logging.level: debug
#output.file:
# path: "/tmp/filebeat"
# filename: filebeat.json
output.logstash:
hosts: ["logstash.stagin.com:5044"]
ssl.enabled: true
Logstash Configuration:
input {
beats {
port => 5044
host => "<PRIVATE_IP>"
client_inactivity_timeout => 3000
}
}
Below is the vault audit logs that are loading w/ Filebeat
{"time":"2020-10-14T17:01:09.100112447Z","type":"response","auth":{"token_type":"default"},"request":{"id":"5f9b4d89-d4a6-5692-b161-71356090e8bb","replication_cluster":"tvx-ch","operation":"update","mount_type":"approle","client_token":"hmac-sha256:07be5ba8f9125f92403254de7060a3dd3a21d1466bf2d64860d12be66f7fd4fc","client_token_accessor":"hmac-sha256:4a55985e0d0f8c4be17aa1129e631d02cede0cd747b0d86ebccb4f882b3684c4","namespace":{"id":"root"},"path":"auth/approle/role/modesto_xmobile/secret-id","remote_address":"172.27.155.125"},"response":{"mount_type":"approld","data":{"secret_id":"hmac-sha256:1b5fa0984871b998d3e13c9397eeaa5e493e55c3964da05a1212d3611077ba1f","secret_id_accessor":"hmac-sha256:655e120622f49a069fbd969f993d038935225f09c293822acedb3893a619a0f2"}}}
{"time":"2020-10-14T17:58:05.120449646Z","type":"request","auth":{"token_type":"default"},"request":{"id":"c87af493-d126-7057-2e96-6abf4a9caefc","replication_cluster":"tvg-ab","operation":"update","mount_type":"generic","client_token":"hmac-sha256:eff8db6b9bfabd2a4df87938c5313c81620e5dc7df5fe8ea45f5844ad89g0c88","client_token_accessor":"hmac-sha256:1ff9fd760aad2fee503cb98c0bf892dfc5eebd5b300553643ec2704c792d4fbc","namespace":{"id":"root"},"path":"secret/directoryservices/inc-residential-service/bbc-security-authserver-config-esp-prd-r3","data":{"xps.security.authServer.configs[0].endpointPatterns":"hmac-sha256:a5c1f6402142e7df0e3d1c5940f981906e6cf9eb8a996113bd3c92c3b9dc6e59","xps.security.authServer.configs[0].scopes":"hmac-sha256:e7326a67dcf53b1f744a856be4a73f380b32c3897e786af3379eda2f541debd5","xps.security.authServer.configs[0].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[0].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324","xps.security.authServer.configs[1].endpointPatterns":"hmac-sha256:bc599e6b16e57890e4247068c1cfdc7b9d1aed76313a76b828c158e3faf105b4","xps.security.authServer.configs[1].scopes":"hmac-sha256:fcc4acf36658b90fec62f9dddae83042a4ae9b430674a541a131a5d522771236","xps.security.authServer.configs[1].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[1].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324","xps.security.authServer.configs[2].endpointPatterns":"hmac-sha256:8efc977777036af1e63cd931b6ec1b5a9db32a5af8cd86fd944d9a5833919ed1","xps.security.authServer.configs[2].scopes":"hmac-sha256:e9e34d58a7d7611fb56c7b3958265f512098efeb33f6282601110121359bfc92","xps.security.authServer.configs[2].secret":"hmac-sha256:ab5c4b32c03dd877dae0a7b0bda89d9979b6d30bd8d9a95e5b194f342c7c0a2c","xps.security.authServer.configs[2].username":"hmac-sha256:c86dddd51966d4a77967724de1c43274a65d0b7354c72d8f2b2b19f42663c324"},"remote_address":"127.0.0.1"}}
from the above both log lines, the filebeat was unable to load the 2nd log on to logstash but when I output to logging.files:
or elasticsearch
then I don't see any errors on the filebeat.
Please I need some light on solving this issue ASAP.
Thanks.
@adrisr @Badger (tagging since you have solved similar issue: Filebeat parse json)