Issue with kibana log data

Guy_Rawsthorn · January 8, 2020, 2:42pm

Hi,

I am using filebeat and logstash to parse the logs of a server to elastic search and then Kibana.

elastic search version 7.5 & kibana version: latest.

I am seeing logs being processed in kibana but the output seems to be encoded.

logstash.conf

input {
  beats {
    port => 5000
    codec => plain { charset => "UTF-8" }
    type => "Jenkins Log"
  }
}

filter {
  if [type] == "Jenkins Log" {
    grok {
      match => { "message" => ["%{PF}", "%{DOVECOT}" ] }
    }
    date {
      match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["http://elasticsearch:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}"
  }
}

filebeat.yaml

filebeat.inputs:
- type: log
  enabled: true
  encoding: utf-8
  reload.enabled: true
  reload.period: 10s
  paths:
  - /var/log/jenkins/*.log
output.logstash:
  hosts: ["IPADDR:5000"]
  console:
    pretty:true

Do you have any suggestions to as to correct the config,

Best

oranieri · January 8, 2020, 3:36pm

Hi @Guy_Rawsthorn,

Can you try without the codec line on beats input?
Since it's a socket between logstash and filebeat, I believe it should not be informed as UTF-8 (without codec, it will be plain as default)

Remove the following line in logstash.conf:

codec => plain { charset => "UTF-8" }

Guy_Rawsthorn · January 9, 2020, 2:37pm

Thanks for your reply @oranieri !

unfortunately I added this line to the config in the attempt to fix the logs.. The data still appears to be shown as either encoded/encrypted despite removing the codec line within my logstash config.

It appears this is a duplicated issue as Message Format problem for logstash but the solution is not clear.

I am running elk stack using https://github.com/deviantony/docker-elk docker-compose file.

If I test my filebeat configuration using - sudo filebeat -e -c /etc/filebeat/filebeat.yml -d "*"
I receive logs in a readable format. This makes me believe my filebeat config is ok.

If I view the packets of data received on port 5000 of my elk stack server - tcpdump -i ens192 port 5000 -Xvv - the data received is not readable and I think hex encoded??

x09e0: 4230 5bfa 2388 e412 8450 2c2f 96af 38e7 B0[.#....P,/..8.
0x09f0: 3cf9 d6da d772 2914 57f2 fb43 7cff e1ed <....r).W..C|...
0x0a00: c787 e8d9 8e8d ece4 0f7b d7f9 13db f90d .........{......
0x0a10: fbe2 0f7b d7f9 d3fd 71b8 72ed d086 4627 ...{....q.r...F

Best,
Guy

Alannah · January 9, 2020, 12:08pm

Would you be able to attempt without the codec line on beats input?

Since it's an attachment among logstash and filebeat, I trust it ought not be educated as UTF-8 (without codec, it will be plain as default)
Burger King Feedback and Survey

Guy_Rawsthorn · January 9, 2020, 2:40pm

Solved:

filebeat.yml

- type: log
  enabled: true
  reload.enabled: true
  reload.period: 10s
  paths:
  - /var/log/jenkins/*.log
output.elasticsearch:
  hosts: ["IPADDR:9200"]

Instead I have stoped using logstash, parsing the data directly to elastic search.. :\

system · February 6, 2020, 2:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.