Kibana - Stack Monitoring - No structured logs found [2]

kurdit · September 2, 2022, 12:23am

hi all! I have exactly the same problem, but none of the solutions that I found here helped me

my filebeat.yml

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 2

setup.kibana:
    host: "https://kibana-linux.elk.com:5601"
    protocol: "https"
    ssl.enabled: true
    ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
    ssl.certificate: "/etc/filebeat/certs/ca.crt"
    ssl.key: "/etc/filebeat/certs/ca.key"
    ssl.verification_mode: certificate
  
output.logstash:
   hosts: ["logstash01.elk.com:5047", "logstash02.elk.com:5047", "logstash03.elk.com:5047"]
   ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
  
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

my /etc/filebeat/modules.d/elasticsearch.yml (enable)

- module: elasticsearch
  server:
    enabled: true
    var.paths: ["/var/log/elasticsearch/elk_server.json"]

  gc:
    enabled: true
    var.paths: ["/var/log/elasticsearch/gc.log"]
   
  audit:
    enabled: true
    var.paths: ["/var/log/elasticsearch/elk_audit.json"]
  
  slowlog:
    enabled: true
    var.paths: ["/var/log/elasticsearch/elk_index_search_slowlog.json"]
    
  deprecation:
    enabled: true
    var.paths: ["/var/log/elasticsearch/elk_deprecation.json"]

my elasticsearch.yml

cluster.name: elk-elk.com
node.name: node-master01
path.data: /opt/elasticsearch/data
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 10.200.9.166
http.port: 9200
discovery.seed_hosts: ["10.200.9.166", "10.200.9.172", "10.200.9.175"]
node.roles: [master, ingest]
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "certs/elasticsearch/http.p12"
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/cert-master01.p12
  certificate_authorities: ["certs/ca/ca.crt"]
http.host: 0.0.0.0

my kibana.yml

xpack.security.encryptionKey: "19dwdqwdwq19dwdqwdwq19dwdqwdwq19dwdqwdwq19dwdqwdwq"
xpack.reporting.encryptionKey: "19dwdqwdwq_d3219dwdqwdwq19dwdqwdwqd32"
xpack.encryptedSavedObjects.encryptionKey: "19dwdqwdwq19dwdqwdwq19dwdqwdwqw_oellek233332ddd"
server.port: 5601
server.host: "0.0.0.0"
monitoring.ui.ccs.enabled: false
server.publicBaseUrl: "https://mster01.elk.elk.com.ru:5601"
server.name: "kibana-linux.elk.elk.com.ru"
server.ssl.enabled: true
server.ssl.keystore.path: "/etc/kibana/kibana/kibana-certificate.p12"
server.ssl.truststore.path: "/etc/kibana/elastic-stack-ca.p12"
elasticsearch.hosts: ["https://kibana-linux.elk.elk.com.ru:9200", "https://datahot01.elk.elk.com.ru:9200", "https://datahot02.elk.elk.com.ru:9200", "https://datahot03.elk.elk.com.ru:9200", "https://datawarm01.elk.elk.com.ru:9200", "https://datawarm02.elk.elk.com.ru:9200", "https://datawarm03.elk.elk.com.ru:9200", "https://datawarm04.elk.elk.com.ru:9200", "https://datawarm05.elk.elk.com.ru:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "PASSWORD"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elasticsearch-ca.pem"]
elasticsearch.sniffInterval: 600000
elasticsearch.sniffOnConnectionFault: true
xpack.security.session.idleTimeout: "30m"
xpack.security.session.lifespan: "1d"
xpack.security.session.cleanupInterval: "8h"
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: pattern
        highlight: true
        pattern: "[%date][%level][%logger] %message %meta"
  root:
    appenders:
      - default
      - file
        
logging.loggers:
  - name: elasticsearch.query
    level: error
path.data: /opt/kibana/data
pid.file: /run/kibana/kibana.pid

iam also running this query against the cluster that stores the filebeat data

POST filebeat-*/_search?filter_path=hits.hits._source.event.dataset,hits.hits._source.@timestamp,hits.hits._source.elasticsearch
{
  "size": 10,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ],
  "collapse": {
    "field": "event.dataset"
  }
}

result:

{
  "hits": {
    "hits": [
      {
        "_source": {
          "@timestamp": "2022-09-02T00:13:17.935Z",
          "event": {
            "dataset": "elasticsearch.gc"
          }
        }
      },
      {
        "_source": {
          "@timestamp": "2022-09-02T00:12:19.500Z",
          "event": {
            "dataset": "logstash.log"
          }
        }
      },
      {
        "_source": {
          "@timestamp": "2022-09-02T00:09:35.861Z",
          "event": {
            "dataset": "kibana.log"
          }
        }
      },
      {
        "_source": {
          "event": {
            "dataset": "elasticsearch.server"
          },
          "@timestamp": "2022-09-02T00:09:17.075Z"
        }
      },
      {
        "_source": {
          "event": {
            "dataset": "elasticsearch.deprecation"
          },
          "@timestamp": "2022-09-02T00:00:08.951Z"
        }
      }
    ]
  }
}

and this query

POST filebeat-*/_search
{
  "size": 0,
  "sort": {
    "@timestamp": {
      "order": "desc"
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "service.type": "elasticsearch"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h",
              "lte": "now"
                  }
              }
        },
        {
          "term": {
            "elasticsearch.cluster.uuid": "{cluster_uuid}"
          }
        }
      ]
    }
  },
  "aggs": {
    "types": {
      "terms": {
        "field": "event.dataset"
      },
      "aggs": {
        "levels": {
          "terms": {
            "field": "log.level"
          }
        }
      }
    }
  }
}

result:

{
  "took": 8,
  "timed_out": false,
  "_shards": {
    "total": 2,
    "successful": 2,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "types": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  }
}

my filebeat mapping in attach (filebeat_mapping.txt)
GET filebeat-*/_mapping

and this
GET _ingest/pipeline/filebeat-8.3.3-elasticsearch-server-pipeline

result

{
  "filebeat-8.3.3-elasticsearch-server-pipeline": {
    "description": "Pipeline for parsing elasticsearch server logs",
    "processors": [
      {
        "set": {
          "field": "event.ingested",
          "value": "{{_ingest.timestamp}}"
        }
      },
      {
        "set": {
          "copy_from": "@timestamp",
          "field": "event.created"
        }
      },
      {
        "grok": {
          "field": "message",
          "patterns": [
            "^%{CHAR:first_char}"
          ],
          "pattern_definitions": {
            "CHAR": "."
          }
        }
      },
      {
        "pipeline": {
          "if": "ctx.first_char != '{'",
          "name": "filebeat-8.3.3-elasticsearch-server-pipeline-plaintext"
        }
      },
      {
        "pipeline": {
          "if": "ctx.first_char == '{'",
          "name": "filebeat-8.3.3-elasticsearch-server-pipeline-json"
        }
      },
      {
        "script": {
          "params": {
            "ms_in_one_m": 60000,
            "minutes_unit": "m",
            "seconds_unit": "s",
            "milliseconds_unit": "ms",
            "ms_in_one_s": 1000
          },
          "lang": "painless",
          "source": """if (ctx.elasticsearch.server.gc != null && ctx.elasticsearch.server.gc.observation_duration != null) {
  if (ctx.elasticsearch.server.gc.observation_duration.unit == params.seconds_unit) {
    ctx.elasticsearch.server.gc.observation_duration.ms = ctx.elasticsearch.server.gc.observation_duration.time * params.ms_in_one_s;
  }
  if (ctx.elasticsearch.server.gc.observation_duration.unit == params.milliseconds_unit) {
    ctx.elasticsearch.server.gc.observation_duration.ms = ctx.elasticsearch.server.gc.observation_duration.time;
  }
  if (ctx.elasticsearch.server.gc.observation_duration.unit == params.minutes_unit) {
    ctx.elasticsearch.server.gc.observation_duration.ms = ctx.elasticsearch.server.gc.observation_duration.time * params.ms_in_one_m;
  }
} if (ctx.elasticsearch.server.gc != null && ctx.elasticsearch.server.gc.collection_duration != null) {
  if (ctx.elasticsearch.server.gc.collection_duration.unit == params.seconds_unit) {
    ctx.elasticsearch.server.gc.collection_duration.ms = ctx.elasticsearch.server.gc.collection_duration.time * params.ms_in_one_s;
  }
  if (ctx.elasticsearch.server.gc.collection_duration.unit == params.milliseconds_unit) {
    ctx.elasticsearch.server.gc.collection_duration.ms = ctx.elasticsearch.server.gc.collection_duration.time;
  }
  if (ctx.elasticsearch.server.gc.collection_duration.unit == params.minutes_unit) {
    ctx.elasticsearch.server.gc.collection_duration.ms = ctx.elasticsearch.server.gc.collection_duration.time * params.ms_in_one_m;
  }
}"""
        }
      },
      {
        "set": {
          "value": "event",
          "field": "event.kind"
        }
      },
      {
        "set": {
          "field": "event.category",
          "value": "database"
        }
      },
      {
        "script": {
          "lang": "painless",
          "source": """def errorLevels = ['FATAL', 'ERROR']; if (ctx?.log?.level != null) {
  if (errorLevels.contains(ctx.log.level)) {
    ctx.event.type = 'error';
  } else {
    ctx.event.type = 'info';
  }
}"""
        }
      },
      {
        "set": {
          "field": "host.name",
          "value": "{{elasticsearch.node.name}}",
          "ignore_empty_value": true
        }
      },
      {
        "set": {
          "field": "host.id",
          "value": "{{elasticsearch.node.id}}",
          "ignore_empty_value": true
        }
      },
      {
        "remove": {
          "field": [
            "elasticsearch.server.gc.collection_duration.time",
            "elasticsearch.server.gc.collection_duration.unit",
            "elasticsearch.server.gc.observation_duration.time",
            "elasticsearch.server.gc.observation_duration.unit"
          ],
          "ignore_missing": true
        }
      },
      {
        "remove": {
          "field": [
            "elasticsearch.server.timestamp",
            "elasticsearch.server.@timestamp"
          ],
          "ignore_missing": true
        }
      },
      {
        "remove": {
          "field": [
            "first_char"
          ]
        }
      }
    ],
    "on_failure": [
      {
        "set": {
          "value": "{{ _ingest.on_failure_message }}",
          "field": "error.message"
        }
      }
    ]
  }
}

aaaaand this

GET _ingest/pipeline/filebeat-8.3.3-elasticsearch-server-pipeline-json

result

{
  "filebeat-8.3.3-elasticsearch-server-pipeline-json": {
    "description": "Pipeline for parsing the Elasticsearch server log file in JSON format.",
    "on_failure": [
      {
        "set": {
          "field": "error.message",
          "value": "{{ _ingest.on_failure_message }}"
        }
      }
    ],
    "processors": [
      {
        "json": {
          "field": "message",
          "target_field": "elasticsearch.server"
        }
      },
      {
        "pipeline": {
          "if": "ctx.elasticsearch.server.containsKey('type')",
          "name": "filebeat-8.3.3-elasticsearch-server-pipeline-json-7"
        }
      },
      {
        "pipeline": {
          "if": "ctx.elasticsearch.server.containsKey('ecs.version')",
          "name": "filebeat-8.3.3-elasticsearch-server-pipeline-json-8"
        }
      }
    ]
  }
}

kurdit · September 3, 2022, 11:17pm

my filebeat mapping here filebeat mapping - af6e7bca
GET filebeat-*/_mapping

stephenb · September 4, 2022, 5:19am

Looks to me like you're trying to send file. Beat through logstash.

That adds some complications

I always recommend to first get things working directly from filebeat to Elasticsearch first and then only after it works then put in logstash in the middle.

When you put in logstash in the middle The ingest pipelines won't be called properly unless you do the correct configuration,
And we cannot tell what your logs – configuration is because you didn't share it.

I suggest you take a look at this document

system · October 2, 2022, 5:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana - Stack Monitoring - No structured logs found Kibana elastic-stack-monitoring	23	3200	September 29, 2020
Don’t see logs in kibana stack monitoring Kibana elastic-stack-monitoring	22	1708	September 30, 2022
No Structured Logs Found in Stack Monitoring when using Logstash Logstash	7	436	May 9, 2022
No Structured Logs Found in Stack Monitoring when using Logstashs Logstash elastic-stack-monitoring	6	680	April 10, 2022
Don't see logs in kibana stack montoring Kibana	3	908	December 4, 2020

Kibana - Stack Monitoring - No structured logs found [2]

Related topics