Filebeat's logs doesn't create

Elastic Stack Logstash
1

This is my current configuration file.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  password: "1"
  enabled: false

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

output.console:
  pretty: true

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

I trying send apache logs to Elasticsearch with filebeat. But it doesn't work properly. Logstash listening port 5044 but my logs doesn't send elasticsearch. How can i solve?

2

Any traces in filebeat log?

3

it's main problem. there aren't any log in /var/log/filebeat.

4

You can't have more than one output enabled, in your cause you have the logstash output and the console output enabled, it will not work.

Filebeat supports only one output at time.

Also, per default filebeat will not create a log file, it will log to stdout, so you should look at /var/log/messages or /var/log/syslog, depending on your linux distribution.

5

Ok. new configuration file:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  #password: "1"
  enabled: false

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

output.console:
  pretty: false

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

not different. it doesn't send apache logs to elasticsearch.

6

my logstash.conf file.

input {
        beats {
                port => "5044"
        }
}

filter {
        grok {
                match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
        date {
                match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
}

output {
        elasticsearch {
                hosts => ["localhost:9200"]
                index => "apache"
        }

        stdout {}

}
7

This is still wrong, it needs to be enabled: false, check the documentation.

My suggestion is to remove these disabled outputs from filebeat.yml, let only the logstash output.

8 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

still same. there is nothing on index management.

9

You need to provide some logs, without it is impossible to know what the issue may be.

Check the /var/log/messages or /var/log/syslog for filebeat logs, also check /var/log/logstash/logstash-plain.log for logstash logs and /var/log/elasticsearch/YOUR-CLUSTER.log for some elasticsearch logs.

10

Start filebeat to show live activities

  1. filebeat -c filebeat.yml -e
    Must show something, either cannot connect to LS server or registry database already read a file
    Default is /usr/share/filebeat/data/registry

  2. Enable logging with debug mode

logging.level: debug
logging.to_files: true
logging.files:
  path: /path/log
  name: filebeat.log
  keepfiles: 7
  permissions: 0644

  1. Read Common problems, Elastic team collected common problems.

  2. Check /var/log/logstash/logstash-plain.log

1 Like
11

It's works. Thanks bro.

1 Like
12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.