Ingest Pipeline fails with no error or warning

Everything mentioned here (ELK, filebeat etc.) is version 6.8.3. I run 1 single node of ElasticSearch.

I'm trying to use the ingest-pipelines that are included with FileBeat. As an example, I started with the one that processes nginx access logs.

The pipelines were loaded using the normal command:

filebeat setup --pipelines --modules nginx

So the flow is: logfile --> filebeat --> logstash --> elasticsearch

I created an example file and added it to Filebeat config:

 - type: log
   enabled: true
   paths: ["/var/log/nginx_access_example"]
   fields:
     type: nginx_access
   fields_under_root: true

I added the extra field so I can differentiate the file from others.

I followed this page https://www.elastic.co/guide/en/logstash/6.8/use-ingest-pipelines.html and so in Logstash I have something like this:

 input {
   beats {
     port => 5044
     ssl => false
   }
 }
 
 output {
   if [type] == "nginx_access" {
     elasticsearch {
       hosts => ["localhost"]
       manage_template => false
       index => "%{[@metadata][beat]}-%{+YYYY.ww}"
       pipeline => "filebeat-6.8.3-nginx-access-default"
     }
   } else {
     elasticsearch {
       hosts => ["localhost"]
       manage_template => false
       index => "%{[@metadata][beat]}-%{+YYYY.ww}"
     }
   }
 }

As you can see, I added the name of the pipeline to be used for my particular file.

After restarting everything, I tried to add example-access-log-lines to that file, but... nothing shows up in ElasticSearch :frowning:

1). All the connections between the components work fine, because stuff from other files appear correctly there.
2). There are no errors or warnings anywhere
3). I know that Filebeat picks up the changes, because every time I add example-log-lines to that file, I can immediately see in Filebeat logs that a harvester was started for that file.

So it doesn't work, no matter what I try.

What I did next was to assume that I did something wrong in Logstash, so I decided to bypass it entirely.

I changed Filebeat config to point directly to ElasticSearch-output and I changed the input like this:

 - type: log
   enabled: true
   paths: ["/var/log/nginx_access_example"]
   pipeline: 'filebeat-6.8.3-nginx-access-default'
   fields:
     type: nginx_access
   fields_under_root: true

As you can see, I added the "pipeline" entry there.

Still nothing shows up in ElasticSearch.

Then I decided to do this:

1). Get the definition of the pipeline:

GET /_ingest/pipeline/filebeat-6.8.3-nginx-access-default

2). With that definition AND an example-log-line, I made use of the Ingest-Pipeline-Simulate endpoint:

 POST <elasticsearch>/_ingest/pipeline/_simulate
 {
 	"pipeline": {
         ............
        },
        "docs" : [
     	{
     		"_source": {
     			.............
     		}
     	}
   ]
 }

And.... it worked exactly as I wanted. Everything got parsed correctly and split into fields etc.

So, in conclusion:

1). it works when I put it in the "simulate" endpoint
2). it does NOT work in a more "real-world" case, with Filebeat and/or Logstash involved.
3). there are NO errors or warnings anywhere
4). the pipeline does contain an "on_failure" entry:

"on_failure": [{
     "set": {
         "field": "error.message",
         "value": "{{ _ingest.on_failure_message }}"
     }
 }

But of course it has no effect that I can see.

What am I missing? Thanks.

PS: I didn't post the entire definition of the pipeline because it's a bit long. But I can add if you think it can help.

Do I have to explicitly enable ingest-pipelines somewhere in ElasticSearch's config?
That could explain why it doesn't work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.