Logs are not collecting

disalassalyjose · July 26, 2016, 2:46am

Hi,
I am able to get the logs from one client server which is windows 12 r2 but not able to get the logs from another client server, below are the configuration that are done in both server side.
**Server :**Ubuntu 14.04
client: Windows server 2012 r2
02-beats-input.conf
input {
beats {
port => 5044
}
}

30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
11-iis--prod.conf -----This iislog filter configuration for first client:
filter {
if [type] == "iis_prod" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:datetime} %{IP:server_ip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IP:client_ip} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:bytes} %{NUMBER:timetaken}" }
}
}
}
12-iis--stage.conf -----This iislog filter configuration for second client:
filter {
if [type] == "iis_stage_ready" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:datetime} %{IP:server_ip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IP:client_ip} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:bytes} %{NUMBER:timetaken}" }
}
}

jpcarey · July 26, 2016, 4:19am

Are there any specific errors in the filebeat log that should be sending to logstash?

disalassalyjose · July 26, 2016, 4:24am

ERR Failed to publish events caused by :EOF. this is the erroe i could find in the filebeat error.

jpcarey · July 26, 2016, 4:43am

I would double check that the yaml file is valid (diff against the working yaml config), and that the path to the filebeat registry file is valid.