Logstash logs does not appears in the index created by Filebeat

pszemesy · January 8, 2019, 1:38pm

Hi All,

I have installed the filebeat component for log/monitor purposes for Logstash activities as it was described under the Logs menu item at Kibana.
Maybe I have miss-configured something, but only the file opening and file closing activities are recorded in the filebeat-* indices (no pipeline related activities, nor start or stop related ones).

I use the standard filebeat configuration (filebeat modules enable logstash - obviously).
I did not modified anything in fileds.yml, and I have configured the elasticsearch connection and the kibana connection in filebeat .yml only.

pierhugues · January 9, 2019, 7:23pm

Hello @pszemesy , if you look at the Logstash log are these message present? By default the logstash Filebeat module should read anything that is added to the log.

pszemesy · January 10, 2019, 5:32am

Hi,
Yes, in the Logstash log everything appears as it should, so what I do not understand why these log entries does not in index.

pierhugues · January 11, 2019, 2:01am

Can you share your configuration?

pszemesy · January 14, 2019, 8:52am

Please find it below (I have deleted the commented lines):
filebeat.yml:

filebeat.inputs:
- type: log
  enabled: false
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
  host: "http://100.78.196.213:5601"
  username: "elastic"
  password: "********"
  protocol: "http"
output.elasticsearch:
  hosts: ["100.78.196.210:9200","100.78.196.211:9200","100.78.196.212:9200"]

  protocol: "http"
  username: "elastic"
  password: "********"

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

modules.d/logstash.yml:

  - module: logstash
    log:
     enabled: true
    slowlog:
     enabled: false

The others (fileds.yml and filebeat_reference.yml) are the standards from the installation.

pierhugues · January 18, 2019, 11:17pm

Looking at your configuration everything appears normal on my side, The logstash module, should be take by default log in /var/log/logstash/logstash-plain*.log, Is there any error in the Filebeat log?

pszemesy · January 28, 2019, 10:10am

Dear Pier,
Sorry for the late answer.
The modules.d/logstash.yml:
- module: logstash
# logs
log:
enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: [/data/logstash/log/logstash-plain.log]

  # Slow logs
  slowlog:
   enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

While in the filebeat log I found the followings:

2019-01-28T10:41:13.130+0100    INFO    log/input.go:138        Configured paths: [/data/logstash/log/logstash-plain.log]
2019-01-28T10:41:13.130+0100    INFO    crawler/crawler.go:106  Loading and starting Inputs completed. Enabled inputs: 0
2019-01-28T10:41:13.130+0100    INFO    cfgfile/reload.go:150   Config reloader started
2019-01-28T10:41:13.132+0100    INFO    log/input.go:138        Configured paths: [/data/logstash/log/logstash-plain.log]
2019-01-28T10:41:13.132+0100    INFO    elasticsearch/client.go:163     Elasticsearch url: http://xxx.xxx.xxx.xxx:9200
2019-01-28T10:41:13.133+0100    INFO    elasticsearch/client.go:163     Elasticsearch url: http://xxx.xxx.xxx.xxx:9200
2019-01-28T10:41:13.133+0100    INFO    elasticsearch/client.go:163     Elasticsearch url: http://xxx.xxx.xxx.xxx:9200
2019-01-28T10:41:13.134+0100    INFO    elasticsearch/client.go:712     Connected to Elasticsearch version 6.5.3
2019-01-28T10:41:13.136+0100    INFO    input/input.go:114      Starting input of type: log; ID: 5215442098622615622
2019-01-28T10:41:13.136+0100    INFO    cfgfile/reload.go:205   Loading of config files completed.
2019-01-28T10:41:43.130+0100    INFO    [monitoring]    log/log.go:144  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":16}},"total":{"ticks":30,"time":{"ms":36},"value":30},"user":{"ticks":20,"time":{"ms":20}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"18897326-61a8-411f-8ee1-922298ec8897","uptime":{"ms":33017}},"memstats":{"gc_next":4194304,"memory_alloc":3426200,"memory_total":5065968,"rss":15376384}},"filebeat":{"events":{"added":2,"done":2},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0},"reloads":1},"output":{"type":"elasticsearch"},"pipeline":{"clients":2,"events":{"active":0,"filtered":2,"total":2}}},"registrar":{"states":{"current":1,"update":2},"writes":{"success":2,"total":2}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.025,"5":0.005}}}}}}
2019-01-28T10:41:53.138+0100    INFO    log/harvester.go:254    Harvester started for file: /data/logstash/log/logstash-plain.log
2019-01-28T10:41:54.138+0100    INFO    pipeline/output.go:95   Connecting to backoff(elasticsearch(http://100.78.196.211:9200))
2019-01-28T10:41:54.139+0100    INFO    pipeline/output.go:95   Connecting to backoff(elasticsearch(http://100.78.196.212:9200))
2019-01-28T10:41:54.139+0100    INFO    pipeline/output.go:95   Connecting to backoff(elasticsearch(http://100.78.196.210:9200))
2019-01-28T10:41:54.140+0100    INFO    elasticsearch/client.go:712     Connected to Elasticsearch version 6.5.3
2019-01-28T10:41:54.141+0100    INFO    elasticsearch/client.go:712     Connected to Elasticsearch version 6.5.3
2019-01-28T10:41:54.141+0100    INFO    elasticsearch/client.go:712     Connected to Elasticsearch version 6.5.3
2019-01-28T10:41:54.153+0100    INFO    template/load.go:129    Template already exists and will not be overwritten.
2019-01-28T10:41:54.153+0100    INFO    pipeline/output.go:105  Connection to backoff(elasticsearch(http://100.78.196.211:9200)) established
2019-01-28T10:41:54.156+0100    INFO    template/load.go:129    Template already exists and will not be overwritten.
2019-01-28T10:41:54.157+0100    INFO    pipeline/output.go:105  Connection to backoff(elasticsearch(http://100.78.196.210:9200)) established
2019-01-28T10:41:54.159+0100    INFO    template/load.go:129    Template already exists and will not be overwritten.
2019-01-28T10:41:54.160+0100    INFO    pipeline/output.go:105  Connection to backoff(elasticsearch(http://100.78.196.212:9200)) established
2019-01-28T10:42:13.130+0100    INFO    [monitoring]    log/log.go:144  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":20,"time":{"ms":5}},"total":{"ticks":50,"time":{"ms":18},"value":50},"user":{"ticks":30,"time":{"ms":13}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"18897326-61a8-411f-8ee1-922298ec8897","uptime":{"ms":63017}},"memstats":{"gc_next":4269696,"memory_alloc":3092864,"memory_total":6596712,"rss":602112}},"filebeat":{"events":{"added":4,"done":4},"harvester":{"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":3,"batches":3,"total":3},"read":{"bytes":4178},"write":{"bytes":4690}},"pipeline":{"clients":2,"events":{"active":0,"filtered":1,"published":3,"retry":3,"total":4},"queue":{"acked":3}}},"registrar":{"states":{"current":1,"update":4},"writes":{"success":4,"total":4}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.025,"5":0.005}}}}}}

The logstash log contains some lines from the last few minutes:

[2019-01-28T10:48:43,732][INFO ][logstash.outputs.file    ] Closing file /data/logdebug/ado_28/mark_mark
[2019-01-28T10:48:45,575][INFO ][logstash.outputs.file    ] Closing file /data/logdebug/keret_28/logstashfail
[2019-01-28T10:51:07,863][INFO ][logstash.outputs.file    ] Opening file {:path=>"/data/logdebug/gazd_28/alert_1"}
[2019-01-28T10:51:44,275][INFO ][logstash.outputs.file    ] Closing file /data/logdebug/gazd_28/alert_1
[2019-01-28T10:51:51,070][INFO ][logstash.outputs.file    ] Closing file /data/logdebug/ado_28/tmp_notjson
[2019-01-28T10:51:51,072][INFO ][logstash.outputs.file    ] Opening file {:path=>"/data/logdebug/ado_28/mark_mark"}
[2019-01-28T10:52:32,254][INFO ][logstash.outputs.file    ] Opening file {:path=>"/data/logdebug/gazd_28/alert_1"}
[2019-01-28T10:52:45,229][INFO ][logstash.outputs.file    ] Closing file /data/logdebug/gazd_28/alert_1
[2019-01-28T10:56:50,453][ERROR][logstash.inputs.tcp      ] Error in Netty pipeline: java.io.IOException: Connection reset by peer
[2019-01-28T10:57:54,349][INFO ][logstash.outputs.file    ] Opening file {:path=>"/data/logdebug/keret_28/logstashfail"}

But on Kibana I can see no log entries.

pszemesy · January 30, 2019, 12:26pm

It is solved!
It was a yaml formatting mistake.

system · February 27, 2019, 12:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No data moving into elasticsearch Beats filebeat	22	6589	May 16, 2018
Logstash data appears but filebeat data not appearing in kibana after x-pack is enabled Beats filebeat	4	1765	July 12, 2017
Filebeat not creating index in Kibana Beats filebeat	1	481	December 14, 2018
Filebeat doesn't seem to create index Beats filebeat	4	204	December 5, 2022
Filebeat, Kibana and ElasticSearch are configured, but not reading log files Beats filebeat	6	1491	August 14, 2020

Logstash logs does not appears in the index created by Filebeat

Related topics