Fleet Agent not showing logs - Fleet Agent not opening port syslog (panw module - filebeat)

Elastic Agent has not opened the port for Syslog to receive data. Fleet integration - filebeat module - Palo Alto firewall network (panw) - via Syslog.

Use Case:
I set up a fleet server, created a new policy and added an agent. I wanted this agent to work as a filebeat forwarder for the Palo Alto Network module/integration via syslog.

The agent is connected to Fleet and Elasticsearch and is working, but the logs are not displayed on the Fleet Agent - Logs tab. (Problem 1)

The monitoring logs of the agent are displayed, this can be seen on the data stream tab, module (panw - Palo Alto networks logs).

As I configured the integration, Filebeat should be listening on port 9001 for logs, but I cannot see this, the port is closed. (Problem 2)

elastic-agent inspect output -o default

[default] filebeat:
filebeat:
  inputs:
  - exclude_files:
    - .gz$
    id: logfile-system.auth-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: logs-system.auth-default
    meta:
      package:
        name: system
        version: 1.6.4
    multiline:
      match: after
      pattern: ^\s
    name: system-2
    paths:
    - /var/log/auth.log*
    - /var/log/secure*
    processors:
    - add_locale: null
    - add_fields:
        fields:
          dataset: system.auth
          namespace: default
          type: logs
        target: data_stream
    - add_fields:
        fields:
          dataset: system.auth
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
    type: log
  - exclude_files:
    - .gz$
    id: logfile-system.syslog-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: logs-system.syslog-default
    meta:
      package:
        name: system
        version: 1.6.4
    multiline:
      match: after
      pattern: ^\s
    name: system-2
    paths:
    - /var/log/messages*
    - /var/log/syslog*
    processors:
    - add_locale: null
    - add_fields:
        fields:
          dataset: system.syslog
          namespace: default
          type: logs
        target: data_stream
    - add_fields:
        fields:
          dataset: system.syslog
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
    type: log
  - fields:
      _conf:
        external_zones:
        - untrust
        internal_zones:
        - trust
        tz_offset: local
    fields_under_root: true
    id: syslog-panw.panos-837851ac-1859-4562-9d46-3706d9252590
    index: logs-panw.panos-default
    meta:
      package:
        name: panw
        version: 1.3.2
    name: panorama-integration
    processors:
    - add_locale: null
    - add_fields:
        fields:
          dataset: panw.panos
          namespace: default
          type: logs
        target: data_stream
    - add_fields:
        fields:
          dataset: panw.panos
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    protocol:
      udp:
        host: 10.5.50.7:9001
    publisher_pipeline.disable_host: true
    revision: 1
    tags:
    - panw-panos
    - forwarded
    type: syslog
output:
  elasticsearch:
    api_key: cuTYun4BGwFPsNURfTGN:kDubZMOhQmKNhXlzzqIYdw
    hosts:
    - https://es01.ca.augustinum.org:9200
    - https://es02.ca.augustinum.org:9200
    - https://es03.ca.augustinum.org:9200
    ssl:
      certificate_authorities:
      - /opt/Elastic/certs/ca.crt

---
[default] metricbeat:
metricbeat:
  modules:
  - cpu.metrics:
    - percentages
    - normalized_percentages
    id: system/metrics-system.cpu-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.cpu-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - cpu
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.cpu
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.cpu
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.filesystem-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.filesystem-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - filesystem
    module: system
    name: system-2
    period: 1m
    processors:
    - drop_event:
        when:
          regexp:
            system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
    - add_fields:
        fields:
          dataset: system.filesystem
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.filesystem
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - diskio.include_devices: null
    id: system/metrics-system.diskio-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.diskio-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - diskio
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.diskio
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.diskio
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.load-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.load-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - load
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.load
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.load
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.memory-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.memory-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - memory
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.memory
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.memory
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.fsstat-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.fsstat-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - fsstat
    module: system
    name: system-2
    period: 1m
    processors:
    - drop_event:
        when:
          regexp:
            system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
    - add_fields:
        fields:
          dataset: system.fsstat
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.fsstat
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.process.summary-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.process.summary-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - process_summary
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.process.summary
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.process.summary
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.network-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.network-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - network
    module: system
    name: system-2
    network.interfaces: null
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.network
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.network
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.process-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.process-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - process
    module: system
    name: system-2
    period: 10s
    process.cgroups.enabled: false
    process.cmdline.cache.enabled: true
    process.include_cpu_ticks: false
    process.include_top_n.by_cpu: 5
    process.include_top_n.by_memory: 5
    processes:
    - .*
    processors:
    - add_fields:
        fields:
          dataset: system.process
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.process
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.socket_summary-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.socket_summary-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - socket_summary
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.socket_summary
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.socket_summary
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
  - id: system/metrics-system.uptime-81e95ba6-a7a2-4bb7-8abf-901a7684490b
    index: metrics-system.uptime-default
    meta:
      package:
        name: system
        version: 1.6.4
    metricsets:
    - uptime
    module: system
    name: system-2
    period: 10s
    processors:
    - add_fields:
        fields:
          dataset: system.uptime
          namespace: default
          type: metrics
        target: data_stream
    - add_fields:
        fields:
          dataset: system.uptime
        target: event
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
          snapshot: false
          version: 7.16.2
        target: elastic_agent
    - add_fields:
        fields:
          id: 78814aa0-1cd0-4b8d-9dbc-11f44480cd68
        target: agent
    revision: 1
output:
  elasticsearch:
    api_key: cuTYun4BGwFPsxxxxxxxxxxxxxxxxxxx
    hosts:
    - https://es01.xxxxxxxxxxxxxxxxxxx:9200
    - https://es02.xxxxxxxxxxxxxxxxxxx:9200
    - https://es03.xxxxxxxxxxxxxxxxxxx:9200
    ssl:
      certificate_authorities:
      - /opt/Elastic/certs/ca.crt

---
[default] FLEET_MONITORING:
agent:
  monitoring:
    enabled: true
    logs: true
    metrics: true
    namespace: default
    use_output: default
monitoring_checksum: 5da0b2f629db8bd86c80e3add10d0e63
output:
  elasticsearch:
    api_key: cuTYun4BGxxxxxxxxxxxxxxxxxxxx
    hosts:
    - https://es01.xxxxxx:9200
    - https://es02.xxxxxx:9200
    - https://es03.xxxxxx:9200
    ssl:
      certificate_authorities:
      - /opt/Elastic/certs/ca.crt
    type: elasticsearch
programs:
- filebeat
- metricbeat

---

/opt/Elastic/Agent/data/elastic-agent-3c518f/install/filebeat-7.16.2-linux-x86_64/logs/filebeat

"host": {
    "architecture": "x86_64",
    "os": {
      "codename": "focal",
      "type": "linux",
      "platform": "ubuntu",
      "version": "20.04.3 LTS (Focal Fossa)",
      "family": "debian",
      "name": "Ubuntu",
      "kernel": "5.4.0-96-generic"
    },
    "name": "aug-srv-fb001",
    "id": "71518294922945a9b19620d480101c31",
    "containerized": false,
    "ip": [
      "10.5.1.183",
      "fe80::250:56ff:fe92:732"
    ],
    "mac": [
      "00:50:56:92:07:32"
    ],
    "hostname": "aug-srv-fb001"
  },
  "input": {
    "type": "filestream"
  },
  "event": {
    "dataset": "elastic_agent.filebeat"
  }
}
2022-02-02T18:40:07.473Z        DEBUG   [input.filestream]    filestream/filestream.go:131      End of file reached: /opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log; Backoff now.       {"id": "429D33EE9882AB68", "source": "filestream::.global::native::933237-64768", "path": "/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log", "state-id": "native::933237-64768"}
2022-02-02T18:40:07.490Z        DEBUG   [elasticsearch] elasticsearch/client.go:232     PublishEvents: 4 events have been published to elasticsearch in 16.281599ms.
2022-02-02T18:40:07.490Z        DEBUG   [publisher]     memqueue/ackloop.go:160 ackloop: receive ack [12439: 0, 4]
2022-02-02T18:40:07.490Z        DEBUG   [publisher]     memqueue/eventloop.go:535       broker ACK events: count=4, start-seq=7841, end-seq=7844

2022-02-02T18:40:07.490Z        DEBUG   [acker] beater/acker.go:64      stateless ack   {"count": 4}
2022-02-02T18:40:07.490Z        DEBUG   [publisher]     memqueue/ackloop.go:128 ackloop: return ack to broker loop:4
2022-02-02T18:40:07.490Z        DEBUG   [publisher]     memqueue/ackloop.go:131 ackloop:  done send ack
2022-02-02T18:40:07.770Z        INFO    [file_watcher]  filestream/fswatch.go:137       Start next scan
2022-02-02T18:40:07.770Z        DEBUG   [file_watcher]  filestream/fswatch.go:204       Found 3 paths
2022-02-02T18:40:07.775Z        INFO    [file_watcher]  filestream/fswatch.go:137       Start next scan
2022-02-02T18:40:07.775Z        DEBUG   [file_watcher]  filestream/fswatch.go:204       Found 8 paths
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    filestream/prospector.go:164      File /opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log has been updated   {"id": "429D33EE9882AB68", "prospector": "file_prospector", "operation": "write", "source_name": "native::933237-64768", "os_id": "933237-64768", "new_path": "/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log", "old_path": "/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log"}
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    input-logfile/harvester.go:145    Starting harvester for file     {"id": "429D33EE9882AB68", "source": "filestream::.global::native::933237-64768"}
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    input-logfile/harvester.go:181    Stopped harvester for file      {"id": "429D33EE9882AB68", "source": "filestream::.global::native::933237-64768"}
2022-02-02T18:40:07.775Z        INFO    [file_watcher]  filestream/fswatch.go:137       Start next scan
2022-02-02T18:40:07.775Z        DEBUG   [file_watcher]  filestream/fswatch.go:204       Found 8 paths
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    filestream/prospector.go:164      File /opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/metricbeat-json.log has been updated {"id": "A8E38CDDCA22F6F9", "prospector": "file_prospector", "operation": "write", "source_name": "native::933199-64768", "os_id": "933199-64768", "new_path": "/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/metricbeat-json.log", "old_path": "/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/metricbeat-json.log"}
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    input-logfile/harvester.go:145    Starting harvester for file     {"id": "A8E38CDDCA22F6F9", "source": "filestream::.global::native::933199-64768"}
2022-02-02T18:40:07.775Z        DEBUG   [input.filestream]    input-logfile/harvester.go:181    Stopped harvester for file      {"id": "A8E38CDDCA22F6F9", "source": "filestream::.global::native::933199-64768"}

Configuration:

  • Version: v7.16.2
  • Operating System: Ubuntu
  • Steps to Reproduce: Customer managed fleet server

/opt/Elastic/Agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log

{"log.level":"debug","@timestamp":"2022-02-02T18:43:28.697Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":472},"message":"Check file for harvesting: /var/log/auth.log","service.name":"filebeat","input_id":"489b1d09-b275-4364-b076-93af0c96ff8d","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:28.697Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":570},"message":"Update existing file for harvesting: /var/log/auth.log, offset: 7137619","service.name":"filebeat","input_id":"489b1d09-b275-4364-b076-93af0c96ff8d","source":"/var/log/auth.log","state_id":"native::1179787-64768","finished":false,"os_id":"1179787-64768","old_source":"/var/log/auth.log","old_finished":false,"old_os_id":"1179787-64768","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:28.697Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":623},"message":"Harvester for file is still running: /var/log/auth.log","service.name":"filebeat","input_id":"489b1d09-b275-4364-b076-93af0c96ff8d","source":"/var/log/auth.log","state_id":"native::1179787-64768","finished":false,"os_id":"1179787-64768","old_source":"/var/log/auth.log","old_finished":false,"old_os_id":"1179787-64768","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:28.697Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":286},"message":"input states cleaned up. Before: 2, After: 2, Pending: 0","service.name":"filebeat","input_id":"489b1d09-b275-4364-b076-93af0c96ff8d","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.030Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/syslog; Backoff now.","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","source":"/var/log/syslog","state_id":"native::1183400-64768","finished":false,"os_id":"1183400-64768","old_source":"/var/log/syslog","old_finished":true,"old_os_id":"1183400-64768","harvester_id":"39acfb10-a032-4da4-badd-4266fd81da8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":232},"message":"PublishEvents: 38 events have been published to elasticsearch in 50.357212ms.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":160},"message":"ackloop: receive ack [4941: 0, 38]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/eventloop.go","file.line":535},"message":"broker ACK events: count=38, start-seq=20093, end-seq=20130\n","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"acker","log.origin":{"file.name":"beater/acker.go","file.line":59},"message":"stateful ack","service.name":"filebeat","count":38,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":128},"message":"ackloop: return ack to broker loop:38","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":131},"message":"ackloop:  done send ack","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":263},"message":"Processing 38 events","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":230},"message":"Registrar state updates processed. Count: 38","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:29.077Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":205},"message":"Registry file updated. 4 active states.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:31.031Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:28.029Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"log\": {\n    \"offset\": 7873266,\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    }\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"elastic_agent\": {\n    \"version\": \"7.16.2\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false\n  },\n  \"host\": {\n    \"containerized\": false,\n    \"name\": \"aug-srv-fb001\",\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\",\n      \"name\": \"Ubuntu\"\n    },\n    \"id\": \"71518294922945a9b19620d480101c31\"\n  },\n  \"message\": \"Feb  2 18:43:27 aug-srv-fb001 systemd[2432453]: run-user-1003.mount: Succeeded.\",\n  \"event\": {\n    \"dataset\": \"system.syslog\",\n    \"timezone\": \"+00:00\"\n  },\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  },\n  \"agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:31.031Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:31.031Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"host\": {\n    \"name\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\",\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\"\n    },\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\"\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"elastic_agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false,\n    \"version\": \"7.16.2\"\n  },\n  \"agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"type\": \"filebeat\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\"\n  },\n  \"log\": {\n    \"offset\": 7873346,\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    }\n  },\n  \"message\": \"Feb  2 18:43:29 aug-srv-fb001 multipathd[654]: sda: add missing path\"\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:31.032Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:31.031Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"host\": {\n    \"hostname\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\"\n    },\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"name\": \"aug-srv-fb001\",\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ]\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"agent\": {\n    \"version\": \"7.16.2\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\"\n  },\n  \"elastic_agent\": {\n    \"version\": \"7.16.2\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"log\": {\n    \"offset\": 7873415,\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    }\n  },\n  \"message\": \"Feb  2 18:43:29 aug-srv-fb001 multipathd[654]: sda: failed to get udev uid: Invalid argument\",\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:31.032Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/syslog; Backoff now.","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","source":"/var/log/syslog","state_id":"native::1183400-64768","finished":false,"os_id":"1183400-64768","old_source":"/var/log/syslog","old_finished":true,"old_os_id":"1183400-64768","harvester_id":"39acfb10-a032-4da4-badd-4266fd81da8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:31.032Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:31.031Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"log\": {\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    },\n    \"offset\": 7873508\n  },\n  \"message\": \"Feb  2 18:43:29 aug-srv-fb001 multipathd[654]: sda: failed to get sysfs uid: Invalid argument\",\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"elastic_agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false,\n    \"version\": \"7.16.2\"\n  },\n  \"agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\"\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"data_stream\": {\n    \"type\": \"logs\",\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"host\": {\n    \"os\": {\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\"\n    },\n    \"name\": \"aug-srv-fb001\",\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.033Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/syslog; Backoff now.","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","source":"/var/log/syslog","state_id":"native::1183400-64768","finished":false,"os_id":"1183400-64768","old_source":"/var/log/syslog","old_finished":true,"old_os_id":"1183400-64768","harvester_id":"39acfb10-a032-4da4-badd-4266fd81da8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":232},"message":"PublishEvents: 4 events have been published to elasticsearch in 13.724345ms.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":160},"message":"ackloop: receive ack [4942: 0, 4]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/eventloop.go","file.line":535},"message":"broker ACK events: count=4, start-seq=20131, end-seq=20134\n","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"acker","log.origin":{"file.name":"beater/acker.go","file.line":59},"message":"stateful ack","service.name":"filebeat","count":4,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":128},"message":"ackloop: return ack to broker loop:4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":131},"message":"ackloop:  done send ack","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":263},"message":"Processing 4 events","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.046Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":230},"message":"Registrar state updates processed. Count: 4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:32.047Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":205},"message":"Registry file updated. 4 active states.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:34.033Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/syslog; Backoff now.","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","source":"/var/log/syslog","state_id":"native::1183400-64768","finished":false,"os_id":"1183400-64768","old_source":"/var/log/syslog","old_finished":true,"old_os_id":"1183400-64768","harvester_id":"39acfb10-a032-4da4-badd-4266fd81da8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:35.226Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/auth.log; Backoff now.","service.name":"filebeat","input_id":"489b1d09-b275-4364-b076-93af0c96ff8d","source":"/var/log/auth.log","state_id":"native::1179787-64768","finished":false,"os_id":"1179787-64768","old_source":"/var/log/auth.log","old_finished":true,"old_os_id":"1179787-64768","harvester_id":"f891795d-b41f-4c13-89a7-70e1c227ed1d","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:36.033Z","log.logger":"reader_multiline","log.origin":{"file.name":"multiline/pattern.go","file.line":170},"message":"Multiline event flushed because timeout reached.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:36.033Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:31.032Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"log\": {\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    },\n    \"offset\": 7873602\n  },\n  \"message\": \"Feb  2 18:43:29 aug-srv-fb001 multipathd[654]: sda: failed to get sgio uid: No such file or directory\",\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"host\": {\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"name\": \"aug-srv-fb001\",\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\",\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\"\n    }\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  },\n  \"elastic_agent\": {\n    \"snapshot\": false,\n    \"version\": \"7.16.2\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\"\n  },\n  \"agent\": {\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-02T18:43:36.456Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpuacct":{"total":{"ns":588183757}},"memory":{"mem":{"usage":{"bytes":3710976}}}},"cpu":{"system":{"ticks":13130,"time":{"ms":32}},"total":{"ticks":36600,"time":{"ms":77},"value":36600},"user":{"ticks":23470,"time":{"ms":45}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":21},"info":{"ephemeral_id":"fa73de4f-29db-46ce-b024-22f228bbf1ba","uptime":{"ms":15156115},"version":"7.16.2"},"memstats":{"gc_next":20723408,"memory_alloc":15596648,"memory_total":4090222080,"rss":132587520},"runtime":{"goroutines":71}},"filebeat":{"events":{"active":1,"added":81,"done":80},"harvester":{"open_files":2,"running":2}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":80,"active":0,"batches":9,"total":80},"read":{"bytes":21127},"write":{"bytes":92234}},"pipeline":{"clients":3,"events":{"active":1,"published":81,"total":81},"queue":{"acked":80}}},"registrar":{"states":{"current":4,"update":80},"writes":{"success":15,"total":15}},"system":{"load":{"1":0.04,"15":0.13,"5":0.15,"norm":{"1":0.02,"15":0.065,"5":0.075}}}},"ecs.version":"1.6.0"}}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"elasticsearch","log.origin":{"file.name":"elasticsearch/client.go","file.line":232},"message":"PublishEvents: 1 events have been published to elasticsearch in 13.007167ms.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":160},"message":"ackloop: receive ack [4943: 0, 1]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/eventloop.go","file.line":535},"message":"broker ACK events: count=1, start-seq=20135, end-seq=20135\n","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"acker","log.origin":{"file.name":"beater/acker.go","file.line":59},"message":"stateful ack","service.name":"filebeat","count":1,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":128},"message":"ackloop: return ack to broker loop:1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"publisher","log.origin":{"file.name":"memqueue/ackloop.go","file.line":131},"message":"ackloop:  done send ack","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":263},"message":"Processing 1 events","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.046Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":230},"message":"Registrar state updates processed. Count: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:37.047Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":205},"message":"Registry file updated. 4 active states.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.034Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:38.034Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"data_stream\": {\n    \"namespace\": \"default\",\n    \"type\": \"logs\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\"\n  },\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"elastic_agent\": {\n    \"snapshot\": false,\n    \"version\": \"7.16.2\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"host\": {\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"name\": \"aug-srv-fb001\",\n    \"containerized\": false,\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\",\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"family\": \"debian\",\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\"\n    }\n  },\n  \"log\": {\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    },\n    \"offset\": 7873704\n  },\n  \"message\": \"Feb  2 18:43:34 aug-srv-fb001 multipathd[654]: sda: add missing path\",\n  \"input\": {\n    \"type\": \"log\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.034Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:38.034Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  },\n  \"message\": \"Feb  2 18:43:34 aug-srv-fb001 multipathd[654]: sda: failed to get udev uid: Invalid argument\",\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"event\": {\n    \"dataset\": \"system.syslog\",\n    \"timezone\": \"+00:00\"\n  },\n  \"elastic_agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false,\n    \"version\": \"7.16.2\"\n  },\n  \"agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"type\": \"filebeat\",\n    \"version\": \"7.16.2\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"host\": {\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\"\n    },\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"name\": \"aug-srv-fb001\",\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\"\n  },\n  \"log\": {\n    \"offset\": 7873773,\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    }\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.034Z","log.logger":"input.harvester","log.origin":{"file.name":"log/log.go","file.line":111},"message":"End of file reached: /var/log/syslog; Backoff now.","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","source":"/var/log/syslog","state_id":"native::1183400-64768","finished":false,"os_id":"1183400-64768","old_source":"/var/log/syslog","old_finished":true,"old_os_id":"1183400-64768","harvester_id":"39acfb10-a032-4da4-badd-4266fd81da8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.034Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":203},"message":"Publish event: {\n  \"@timestamp\": \"2022-02-02T18:43:38.034Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"7.16.2\",\n    \"raw_index\": \"logs-system.syslog-default\"\n  },\n  \"input\": {\n    \"type\": \"log\"\n  },\n  \"event\": {\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"system.syslog\"\n  },\n  \"agent\": {\n    \"type\": \"filebeat\",\n    \"version\": \"7.16.2\",\n    \"hostname\": \"aug-srv-fb001\",\n    \"ephemeral_id\": \"fa73de4f-29db-46ce-b024-22f228bbf1ba\",\n    \"name\": \"aug-srv-fb001\",\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\"\n  },\n  \"log\": {\n    \"offset\": 7873866,\n    \"file\": {\n      \"path\": \"/var/log/syslog\"\n    }\n  },\n  \"message\": \"Feb  2 18:43:34 aug-srv-fb001 multipathd[654]: sda: failed to get sysfs uid: Invalid argument\",\n  \"data_stream\": {\n    \"dataset\": \"system.syslog\",\n    \"namespace\": \"default\",\n    \"type\": \"logs\"\n  },\n  \"elastic_agent\": {\n    \"id\": \"78814aa0-1cd0-4b8d-9dbc-11f44480cd68\",\n    \"snapshot\": false,\n    \"version\": \"7.16.2\"\n  },\n  \"ecs\": {\n    \"version\": \"1.12.0\"\n  },\n  \"host\": {\n    \"architecture\": \"x86_64\",\n    \"os\": {\n      \"name\": \"Ubuntu\",\n      \"kernel\": \"5.4.0-96-generic\",\n      \"codename\": \"focal\",\n      \"type\": \"linux\",\n      \"platform\": \"ubuntu\",\n      \"version\": \"20.04.3 LTS (Focal Fossa)\",\n      \"family\": \"debian\"\n    },\n    \"name\": \"aug-srv-fb001\",\n    \"id\": \"71518294922945a9b19620d480101c31\",\n    \"containerized\": false,\n    \"ip\": [\n      \"10.5.1.183\",\n      \"fe80::250:56ff:fe92:732\"\n    ],\n    \"mac\": [\n      \"00:50:56:92:07:32\"\n    ],\n    \"hostname\": \"aug-srv-fb001\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.136Z","log.logger":"input","log.origin":{"file.name":"input/input.go","file.line":139},"message":"Run input","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-02T18:43:38.136Z","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":147},"message":"Starting Syslog input","service.name":"filebeat","protocol":"udp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-02T18:43:38.136Z","log.logger":"UDP","log.origin":{"file.name":"dgram/server.go","file.line":99},"message":"Started listening for UDP connection","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-02T18:43:38.136Z","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":150},"message":"Error starting the servererrorlisten udp 10.5.50.7:9001: bind: cannot assign requested address","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.697Z","log.logger":"input","log.origin":{"file.name":"input/input.go","file.line":139},"message":"Run input","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.698Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":222},"message":"Start next scan","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.698Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":323},"message":"Exclude file: /var/log/syslog.2.gz","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-dbc4161d99f5","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2022-02-02T18:43:38.698Z","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":323},"message":"Exclude file: /var/log/syslog.3.gz","service.name":"filebeat","input_id":"9a6b4d3b-2559-4067-b3f8-

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.