Thanks for replying @stephenb !
I checked the logs for Filebeat and don't see much. I did follow the steps you linked and filebeat seems to be running. Below is the requested configs and the log.
Log:
"log.level":"info","@timestamp":"2022-05-03T14:49:47.537Z","log.origin":{"file.name":"instance/beat.go","file.line":685},"message":"Home path: [/home/bottlebill/filebeat-8.2.0-linux-x86_64] Config path: [/home/bottlebill/filebeat-8.2.0-linux-x86_64] Data path: [/home/bottlebill/filebeat-8.2.0-linux-x86_64/data] Logs path: [/home/bottlebill/filebeat-8.2.0-linux-x86_64/logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-03T14:49:47.537Z","log.origin":{"file.name":"instance/beat.go","file.line":693},"message":"Beat ID: d309f519-a6ba-4880-9037-e13269ca7dd7","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-05-03T14:49:50.540Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":80},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
filebeat.yml
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: false
paths:
- /var/log/*.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "10.10.10.10:5601"
username: "user"
password: "password"
output.elasticsearch:
hosts: ["https://localhost:9200"]
ssl.verification_mode: none
username: "user"
password: "password"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
fortinet.yml
- module: fortinet
firewall:
enabled: true
clientendpoint:
enabled: false
fortimail:
enabled: false
fortimanager:
enabled: false