I'm using the Filebeat Elasticsearch module introduced in filebeat 6.4.0, but I get this error when I run filebeat:
ERROR [autodiscover] cfgfile/list.go:104 Error creating runner from config: Fileset elasticsearch/log is configured but doesn't exist
Any ideas why the Filebeat Elasticsearch module isn't working as expected?
Could you please share your full config formatted using </>?
@kvch
Please find below the config file. I think the reason why I get the error mentioned above is because I'm running filebeat and elasticsearch inside separate docker containers so filebeat doesn't have access to elasticsearch log path. Sharing a volume between the two containers might resolve the problem.
filebeat.config.modules:
enabled: true
path: /usr/share/filebeat/modules.d/*.yml
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
contains:
docker.container.image: elasticsearch
config:
- module: elasticsearch
log:
input:
type: docker
containers:
path: '/usr/share/filebeat/containers/'
stream: 'all'
ids:
- '${data.docker.container.id}'
output.elasticsearch:
hosts: '${ES_HOSTS}'
setup.kibana:
host: "kibana"
xpack.monitoring.enabled: True
The problem is that Filebeat cannot find the elasticsearch/log fileset you configured. Is /usr/share/filebeat/module is accessible to Filebeat and contains the fileset?
Running the commands below inside the filebeat container indicates that the module filesets are accessible to filebeat:
[root@773170d8886b module]# pwd
/usr/share/filebeat/module
[root@773170d8886b module]# ls
apache2 elasticsearch iis kibana mongodb nginx postgresql system
auditd icinga kafka logstash mysql osquery redis traefik
[root@773170d8886b module]# ls elasticsearch/
audit deprecation gc module.yml server slowlog
[root@773170d8886b module]#
I shared a volume between elasticsearch (points to/usr/share/elasticsearch/logs) and filebeat (points to /var/log/elasticsearch) and I change the log fileset to the server fileset in the filebeat config
...
config:
- module: elasticsearch
server: # <----------------- Using server fileset
input:
type: docker
containers:
...
but the only logs being collected is for the gc fileset. I tried different filebsets such as audit, deprecation, slowlog but still I am only getting the gc fileset logs. Listing the content of where the elasticsearch are in filebeat container shows the following:
[root@773170d8886b module]# ls /var/log/elasticsearch/
gc.log gc.log.01 gc.log.03 gc.log.05 gc.log.07 gc.log.09 gc.log.11
gc.log.00 gc.log.02 gc.log.04 gc.log.06 gc.log.08 gc.log.10 gc.log.12
Listing the content of the elasticsearch logs folder inside the elasticsearch container:
[elasticsearch@e038c94710e0 ~]$ pwd
/usr/share/elasticsearch
[elasticsearch@e038c94710e0 ~]$ ls logs/
gc.log gc.log.01 gc.log.03 gc.log.05 gc.log.07 gc.log.09 gc.log.11
gc.log.00 gc.log.02 gc.log.04 gc.log.06 gc.log.08 gc.log.10 gc.log.12
How do I pick up the other logs for the other filesets, especially the ones being printed to the console?
NOTE: I am using the default log location for all the filebeat elasticsearch filesets which is /var/log/elasticsearch/
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.