Integrations don't send data

elkuser1234 · August 8, 2022, 1:44pm

Hi
I'm using elk stack 8.3
I have a problem with Tomcat integrations ver 1.5.0.
I collect logs from file and elastic agent don't send data from tomcat log. I don't use fleet.

Logs from the same agent for /var/log/syslog or /var/log/messages works fine.

How could i debug what is wrong

I attached the elastic-agent.yml file

id: 4ce6c1d0-xxxx-11ed-bd95-xxxxxxxxx
revision: 2
outputs:
  default:
    type: elasticsearch
    hosts:
      - 'https://x.y.z.a:9200'
    ssl.ca_trusted_fingerprint: xxxxxxxxxxxxxxxxxxxxxxxxx
    username: '{xxxx}'
    password: '{xxxx}'
output_permissions:
  default:
    _elastic_agent_monitoring:
      indices: []
    _elastic_agent_checks:
      cluster:
        - monitor
    a198937d-xxxx-4a61-b544-xxxxxxxxxx:
      indices:
        - names:
            - logs-system.auth-default
          privileges: &ref_0
            - auto_configure
            - create_doc
        - names:
            - logs-system.syslog-default
          privileges: *ref_0
        - names:
            - logs-system.security-default
          privileges: *ref_0
        - names:
            - logs-system.system-default
          privileges: *ref_0
        - names:
            - logs-system.application-default
          privileges: *ref_0
        - names:
            - metrics-system.load-default
          privileges: *ref_0
        - names:
            - metrics-system.memory-default
          privileges: *ref_0
        - names:
            - metrics-system.uptime-default
          privileges: *ref_0
        - names:
            - metrics-system.diskio-default
          privileges: *ref_0
        - names:
            - metrics-system.process.summary-default
          privileges: *ref_0
        - names:
            - metrics-system.network-default
          privileges: *ref_0
        - names:
            - metrics-system.cpu-default
          privileges: *ref_0
        - names:
            - metrics-system.process-default
          privileges: *ref_0
        - names:
            - metrics-system.socket_summary-default
          privileges: *ref_0
        - names:
            - metrics-system.fsstat-default
          privileges: *ref_0
        - names:
            - metrics-system.filesystem-default
          privileges: *ref_0
    d0f44bed-287f-469a-bcae-a507d2aba7d0:
      indices:
        - names:
            - logs-tomcat.log-default
          privileges: *ref_0
agent:
  monitoring:
    enabled: false
    logs: false
    metrics: false
inputs:
  - id: logfile-system-a198937d-4f15-4a61-b544-cee7d587962f
    name: system-3
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: system
        version: 1.16.2
    data_stream:
      namespace: default
    streams:
      - id: logfile-system.auth-a198937d-4f15-4a61-b544-cee7d587962f
        data_stream:
          dataset: system.auth
          type: logs
        paths:
          - /var/log/auth.log*
          - /var/log/secure*
        exclude_files:
          - .gz$
        multiline:
          pattern: ^\s
          match: after
        processors:
          - add_locale: null
      - id: logfile-system.syslog-a198937d-4f15-4a61-b544-cee7d587962f
        data_stream:
          dataset: system.syslog
          type: logs
        paths:
          - /var/log/messages*
          - /var/log/syslog*
        exclude_files:
          - .gz$
        multiline:
          pattern: ^\s
          match: after
        processors:
          - add_locale: null
  - id: logfile-log-d0f44bed-287f-469a-bcae-a507d2aba7d0
    name: tomcat-1
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: tomcat
        version: 1.5.0
    data_stream:
      namespace: default
    streams:
      - id: logfile-tomcat.log-d0f44bed-287f-469a-bcae-a507d2aba7d0
        data_stream:
          dataset: tomcat.log
          type: logs
        paths:
          - /home/tomcat/logs/catalina.out
        exclude_files:
          - .gz$
        tags:
          - tomcat-log
          - forwarded
        fields_under_root: true
        fields:
          observer:
            type: Web
            vendor: Apache
            product: TomCat
        publisher_pipeline.disable_host: true
        processors:
          - script:
              lang: javascript
              params:
                ecs: true
                rsa: true
                tz_offset: local
                keep_raw: false
                debug: false
              source: "// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one\n// or more contributor license agreements. Licensed under the Elastic License;\n// you may not use this file except in compliance with the Elastic License.\n\n/* jshint -W014,-W016,-W097,-W116 */\n\nvar processor = require(\"processor\");\nvar console = require(\"console\");\n\nvar FLAG_FIELD = \"log.flags\";\nvar FIELD......."
          - community_id: null
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: dns.question.name
              target_field: dns.question.registered_domain
              target_subdomain_field: dns.question.subdomain
              target_etld_field: dns.question.top_level_domain
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: client.domain
              target_field: client.registered_domain
              target_subdomain_field: client.subdomain
              target_etld_field: client.top_level_domain
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: server.domain
              target_field: server.registered_domain
              target_subdomain_field: server.subdomain
              target_etld_field: server.top_level_domain
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: destination.domain
              target_field: destination.registered_domain
              target_subdomain_field: destination.subdomain
              target_etld_field: destination.top_level_domain
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: source.domain
              target_field: source.registered_domain
              target_subdomain_field: source.subdomain
              target_etld_field: source.top_level_domain
          - registered_domain:
              ignore_missing: true
              ignore_failure: true
              field: url.domain
              target_field: url.registered_domain
              target_subdomain_field: url.subdomain
              target_etld_field: url.top_level_domain
          - add_locale: null

elkuser1234 · August 10, 2022, 8:47am

The integrator is sending data, but there is a parsing problem. Searching by host.ip did not work, I found documents using agent.name
I have an error dissect_parsing_error

system · September 7, 2022, 8:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic agent enrolled but not sending any data Beats elastic-agent	1	318	April 4, 2022
Elastic Agent logs empty Kibana fleet	2	275	June 19, 2023
Elastic-agent with Misp integration policy no data received while no errors comes up Elastic Agent	9	1158	April 19, 2023
Elastic-agent does not send metrics to Logstash Elastic Agent elastic-stack-monitoring	3	166	June 9, 2024
Elastic agent not sending logs to elastic search Elastic Agent	1	127	January 22, 2024

Integrations don't send data

Related topics