Is Filebeat, Log courier and logstash supported for CentOS RHEL 5?

ajeevpk · November 21, 2016, 3:11pm

Hi ,

I want a light weight log forwarder in RHEL5 machine, looks like Filebeat, Log courier and logstash NOT supported for CentOS RHEL 5.

Can some one help me resolve this error
[root@ctp-fcpld1app11 ~]# service filebeat start
Starting filebeat: 2016/11/10 11:50:21.449037 beat.go:135: DBG Initializing output plugins
2016/11/10 11:50:21.449186 geolite.go:24: INFO GeoIP disabled: No paths were set under output.geoip.paths
2016/11/10 11:50:21.455787 logstash.go:106: INFO Max Retries set to: 3
2016/11/10 11:50:21.455965 client.go:100: DBG connect
2016/11/10 11:50:21.456445 client.go:100: DBG connect
2016/11/10 11:50:21.459475 outputs.go:126: INFO Activated logstash as output plugin.
2016/11/10 11:50:21.460778 publish.go:232: DBG Create output worker
2016/11/10 11:50:21.462226 publish.go:274: DBG No output is defined to store the topology. The server fields might not be filled.
2016/11/10 11:50:21.462588 publish.go:288: INFO Publisher name: ctp-fcpld1app11
2016/11/10 11:50:21.463651 async.go:78: INFO Flush Interval set to: 1s
2016/11/10 11:50:21.463862 async.go:84: INFO Max Bulk Size set to: 2048
2016/11/10 11:50:21.464056 async.go:92: DBG create bulk processing worker (interval=1s, bulk size=2048)
2016/11/10 11:50:21.464523 beat.go:147: INFO Init Beat: filebeat; Version: 1.2.3
FATAL: kernel too old
/bin/bash: line 1: 16545 Segmentation fault filebeat-god -r / -n -p /var/run/filebeat.pid -- /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
[FAILED]
[root@ctp-fcpld1app11 ~]#

Is log-courier not compatible with RHEL5?

[root@podrbccls3etl01 local_log_courier]# rpm -ivh zeromq3-3.2.5-1.el6.x86_64.rpm
warning: zeromq3-3.2.5-1.el6.x86_64.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID 0608b895
error: Failed dependencies:
libc.so.6(GLIBC_2.7)(64bit) is needed by zeromq3-3.2.5-1.el6.x86_64
libpgm-5.1.so.0()(64bit) is needed by zeromq3-3.2.5-1.el6.x86_64
libstdc++.so.6(GLIBCXX_3.4.9)(64bit) is needed by zeromq3-3.2.5-1.el6.x86_64
rpmlib(FileDigests) <= 4.6.0-1 is needed by zeromq3-3.2.5-1.el6.x86_64
rpmlib(PayloadIsXz) <= 5.2-1 is needed by zeromq3-3.2.5-1.el6.x86_64

Thanks,
Ajeev

andrewkroh · November 21, 2016, 3:23pm

Both Filebeat and Log Courier are written in Go. Go is not supported on RHEL5. (Some newer RHEL 5 kernels may work, but it's still not officially supported).

Logstash uses the JVM so if you can meet the JVM version requirements you may be able to get LS to run. Running LS on RHEL5 is not officially supported by Elastic.

Eric_S · November 21, 2016, 3:47pm

i got kernel too old msg when i tried to run filebeat:

Starting filebeat: FATAL: kernel too old

here is my RHEL version:
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Release: 5.11
Codename: Tikanga

kernel version:
kernel-2.6.18-409.el5
kernel-2.6.18-412.el5
kernel-2.6.18-416.el5

Eric_S · November 21, 2016, 3:59pm

Andrew, are you saying that after build go 1.1 on my RHEL5-2.6.18.409.el5 kernel machine, beats might be able to run?

andrewkroh · November 21, 2016, 4:15pm

No, it was my understanding based on that blog post that there is a chance that a Go program might be able to run on certain RHEL5 kernels (no need to rebuild FB).

Can you trying running Filebeat directly and not as a service (e.g. filebeat -c /etc/filebeat/filebeat.yml -e - v -d "*").

The "kernel too old" is probably coming from filebeat-god which is not a Go program and will need to be compiled for RHEL 5. filebeat-god is used to help daemonize the filebeat process in the init script. It's a build of https://github.com/tsg/go-daemon.

Eric_S · November 21, 2016, 4:29pm

ha, it's working i think. there is no any console output on "filebeat -c /etc/filebeat/filebeat.yml -e - v -d "*"" but i can see msg coming in on my kibana frontend now.

i have filebeat running on RHEL5 box, then logstash, ES and Kibana on ubuntu 16 box waiting for filebeat. seems like it's working.

Eric_S · November 21, 2016, 4:33pm

thanks so much andrew.

now since i'm a newbie on linux and beats. could you pls help me on below 2 questions:

how do i setup filebeats to run as a service on RHEL5?
what is the command to run packetbeat manually? (packetbeat is the one i want install and run next)

thanks again.

Eric_S · November 21, 2016, 6:39pm

for packetbeat, when i try to start it with:
sudo /etc/init.d/packetbeat start

i got below error msg:
Starting packetbeat: /usr/bin/packetbeat: /lib64/libc.so.6: version `GLIBC_2.7' not found (required by /usr/bin/packetbeat)

run: nm /usr/bin/packetbeat |grep GLIBC_2.7
i got: U __isoc99_sscanf@@GLIBC_2.7

seems that my RHEL5 don't have GLIBC2.7 which packetbeat needs to use _iscc99_sscanf function. Any idea?

andrewkroh · November 21, 2016, 7:17pm

Either build a go-daemon for RHEL 5 and replace the filebeat-god binary (probably the init.d script would work as is if you did that). Or try hacking on the init script to not use filebeat-god.

See docs: Debug | Packetbeat Reference [8.11] | Elastic

packetbeat -c /etc/packetbeat/packetbeat.yml -e -d "*"

Packetbeat is different from Filebeat in that it depends on C libraries. You'll probably need to setup Go in your RHEL5 environment and build Packetbeat.

system · December 19, 2016, 7:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.