After the 8.15.0 update, with the separation of event logs belonging to filebeat and metricbeat, we can no longer monitor the event logs belonging to the agent via Kibana with the Elastic Agent integration. There is only a notification saying "Cannot index event (status=400): dropping event! Look at the event log to view the event and cause."
Is there a chance to monitor the main reason for the errors we receive (event logs) via Kibana without connecting to the server the agent is connected to? As far as I understand, the separated event logs are not currently indexed to Elasticsearch with this integration. Is there a solution for this? Or will there be an update in the near future where we can see all the logs belonging to the agent in this integration?
@edemir, the event logs are in the diagnostics bundle, you can request them via Kibana, download onto your machine and look at the logs. If you prefer you can eve upload them on Kibana to analyse.
@stephenb@TiagoQueiroz are there any updates in this department? Is there an easy way to get the dropped events automatically now, or still not? This manual diagnostics download is tedious.
I get it can be tedious to request/download the diagnostics to get access to the events log, however due to security concerns that's the best option at the moment.
@TiagoQueiroz thank you for the update. Could you elaborate more on the security concerns? How does this impact security?
We have a similar flow with Logstash DLQ pipeline that sends DLQ messages to an index, so we can reprocess those messages easily once the problems have been fixed. Sure, we can output the agent to Logstash, but we prefer the direct connections. Makes me wonder why there isn't some DLQ option in the agent.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.