Logstash: No data in kibana

syfy323 · March 31, 2018, 8:34pm

Hi!

I switched syslog from Graylog to ELK (same port) but I am unable to push data to ES / Kibana.
Filebeat and Packetbeat are working fine but syslog and netflow still have issues.

[2018-03-31T22:22:38,565][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-03-31T22:22:38,570][DEBUG][logstash.outputs.elasticsearch] Found existing Elasticsearch template. Skipping template management {:name=>"logstash"}
[2018-03-31T22:22:38,570][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::Elasticsearch", :hosts=>["//192.168.83.20:9200"]}

Kibana still does not find an index for "logstash-*".

Any ideas?

Kind regards,
Kevin

yaauie · March 31, 2018, 8:44pm

What does your pipeline configuration look like? Are you using tcp, udp, or a file-based solution to send your logs to Logstash?
Do you have evidence that messages are successfully arriving at Logstash for processing? Setting log.level: debug may be useful. Typically when writing a pipeline, I also start with a stdout output, and only remove it once I get my "real" outputs working.

syfy323 · April 1, 2018, 7:50am

Hi!

This is my config:

[root@slde6002 ~]# cat /etc/logstash/conf.d/30-syslog.conf
input {
syslog {
type => "syslog"
port => 5140
}
}

output {
elasticsearch {
hosts => "192.168.83.20:9200"
manage_template => true
}
}

I have debug enabled and can see every syslog message in output. There is no error or something else.

system · April 29, 2018, 7:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.