Filebeat's logs doesn't create

sevbans · October 16, 2022, 6:01pm

This is my current configuration file.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  password: "1"
  enabled: false

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

output.console:
  pretty: true

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

I trying send apache logs to Elasticsearch with filebeat. But it doesn't work properly. Logstash listening port 5044 but my logs doesn't send elasticsearch. How can i solve?

Rios · October 16, 2022, 6:58pm

Any traces in filebeat log?

sevbans · October 16, 2022, 7:27pm

it's main problem. there aren't any log in /var/log/filebeat.

leandrojmp · October 16, 2022, 7:42pm

sevbans:

output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  password: "1"
  enabled: false

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

output.console:
  pretty: true

You can't have more than one output enabled, in your cause you have the logstash output and the console output enabled, it will not work.

Filebeat supports only one output at time.

Also, per default filebeat will not create a log file, it will log to stdout, so you should look at /var/log/messages or /var/log/syslog, depending on your linux distribution.

sevbans · October 16, 2022, 8:16pm

Ok. new configuration file:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  #password: "1"
  enabled: false

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

output.console:
  pretty: false

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

not different. it doesn't send apache logs to elasticsearch.

sevbans · October 16, 2022, 8:23pm

my logstash.conf file.

input {
        beats {
                port => "5044"
        }
}

filter {
        grok {
                match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
        date {
                match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
}

output {
        elasticsearch {
                hosts => ["localhost:9200"]
                index => "apache"
        }

        stdout {}

}

leandrojmp · October 16, 2022, 8:25pm

This is still wrong, it needs to be enabled: false, check the documentation.

My suggestion is to remove these disabled outputs from filebeat.yml, let only the logstash output.

sevbans · October 16, 2022, 9:06pm

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log

output.logstash:
  hosts: ["localhost:5044"]
  enabled: true

setup.dashboards.enabled: true
setup.kibana:
  host: "localhost:5601"

still same. there is nothing on index management.

leandrojmp · October 16, 2022, 9:53pm

You need to provide some logs, without it is impossible to know what the issue may be.

Check the /var/log/messages or /var/log/syslog for filebeat logs, also check /var/log/logstash/logstash-plain.log for logstash logs and /var/log/elasticsearch/YOUR-CLUSTER.log for some elasticsearch logs.

Rios · October 16, 2022, 9:58pm

Start filebeat to show live activities

filebeat -c filebeat.yml -e
Must show something, either cannot connect to LS server or registry database already read a file
Default is /usr/share/filebeat/data/registry
Enable logging with debug mode

logging.level: debug
logging.to_files: true
logging.files:
  path: /path/log
  name: filebeat.log
  keepfiles: 7
  permissions: 0644

Read Common problems, Elastic team collected common problems.
Check /var/log/logstash/logstash-plain.log

sevbans · October 17, 2022, 6:40pm

It's works. Thanks bro.

system · November 14, 2022, 6:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.