How to detect the absence of a file using filebeat

Puneet_Singh · July 22, 2024, 4:17pm

Hi All,
We have a monitoring pipeline available in out infrastructure for monitoring /var/log/messages logs.
filebeat -> kafka -> logstash -> elasticsearch -> elastalert.

We are using filebeat 8.0.1 to export system logs to the kafka topic.

Now the issue is that there maybe few servers where the /var/log/messages may not be present. So following possibilities may happen:

Scenario A: no logs in the /var/log/messages since last 1 day
Scenario B: /var/log/messages file is missing

How can we distinguish/detect the scenario A from scenario B? so that i can detect and create an alert for Scenario B using elastalert?

please advice.

Puneet_Singh · July 22, 2024, 4:19pm

Removed #elastalert

Wolfram_Haussig · July 23, 2024, 7:51am

Hello Puneet,

My first thought was to use ls command as an input, but neither Filebeat nor Elastic Agent support it yet.

Therefore, I would create a cron job on the systems running ls -ltr --time-style=long-iso /var/log > logfile-ages.log

This file can then be ingested into Elastic using Filebeat and you can create an alert if the messages file is not found in the documents of the last X minutes.

But maybe someone else has a better idea...

Best regards
Wolfram