Index Mismatch

danni · February 3, 2018, 9:32am

I am having an issue with kibana. My setup is a little like this:

Windows Logs from a WEC server
Linux logs including apache and weblogic
Winlogbeat and filebeat with filebeat-* index and winevnt-* index and being ingested on different ports

My problem is that when i upgraded to elastic 6.1.3 from 6.0.0, filebeat-* index is full of windows event logs even and to see the actual logs for filebeat-* index, i am forced to use filters and queries. Is this a bug or are my configurations all weirdly setup?

rashmi · February 5, 2018, 4:43pm

Hi

Can you please paste your config here( sans the sensitive data) . We may help you debug if its a wrong config . It sounds like winlogbeat logs are going to filebeat-?
Anyways either way it's a misconfiguration somewhere - either kibana has an index pattern that's matching all indices () or winlogbeat and filebeat are configured to point to the wrong indices.

Thanks
Rashmi

danni · February 6, 2018, 5:07pm

Attached is a screen shot and the config for both windows and linux
apache host.

Thanks

rashmi · February 6, 2018, 6:39pm

The config was not posted here. Can you re-post it ?

Thanks
Rashmi

danni · February 6, 2018, 10:33pm

Here is the text config:

====================================WINLOG
CONFIG=========================

input {
tcp {
port => 6051
codec => json
tags => [ "json" ]
}

stdin { }

}
filter {
if "json" in [tags] {
mutate {
#add_tag => [ "conf_file_0001"]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "winevent-%{+YYYY.MM.dd}"
}
}

==============================APACHE
CONFIG===============================
input {
beats {
port => 5044
}
}

filter {
if [fileset][name] == "access" {
grok {
match => { "message" => "%{IP:client} - -
[%{HTTPDATE:apache_timestamp}] "(?:%{WORD:method}
%{URIPATH:request}(?:?%{NOTSPACE:query_string})?(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response}
%{WORD:bytes}" }
}
}
else if [fileset][name] == "error" {
grok {
match => { "message" => "[%{DATA:apache_timestamp}]
[%{WORD:type}] [client %{IP:client}] %{GREEDYDATA:log_message}" }
}
date {
match => [ "apache_timestamp" , "EEE MMM dd HH:mm:ss yyyy" ]
}
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "apachebeat-%{+YYYY.MM.dd}"
}
}

danni · February 6, 2018, 10:35pm

They are different configs btw. One if for recieving windows logs and
the other one is for recieving linux and other application logs
especially apache and others am having. But when i select the
apachebeat* index from the discover console, it displays windows logs
instead which is very odd

system · March 6, 2018, 10:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows logs are coming in, but Linux logs are not Logstash	2	347	November 14, 2018
Why do I see the winlogbeat fields in Filebeat indexes after creating the winlogbeat index? Beats filebeat , winlogbeat	3	590	November 10, 2020
No matching indices found: No indices match pattern "winlogbeat-*" Beats winlogbeat	4	1406	April 29, 2019
Winlogbeat via Logstash into Elasticsearch Logstash	18	7750	July 22, 2017
Can't create Winlogbeat index in Elasticsearch Beats winlogbeat	7	3941	July 5, 2017

Index Mismatch

stdin { }

Related topics