Logstash to Elastic search not working for heartbeat

Elastic Stack Logstash
1

In the ELK pipeline, I have Heartbeat pushing logs to Logstash and then to Elasticsearch. The heartbeat to logstash works fine and from logstash to elasticsearh have issues. I have done my best using the debug options in logstash but could not figure the issue. From the logs I am sure its a logstash get the URL from heartbeat and it is not pushing to ES.
I see the below lines in logstash logs, so LS has logs from Heartbeat.

 _RUBY.start_input(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:325)_
_java.lang.Thread.run(java/lang/Thread.java:745)_
_[2017-05-22T14:25:17,518][DEBUG][logstash.pipeline] filter received {"event"=>{"tls_handshake_rtt"=>{"us"=>451771}, "scheme"=>"https", "ip"=>"162.24.10.21", "tcp_connect_rtt"=>{"us"=>220262}, "monitor"=>"http@https://myapplication-url.mydomain.com", "type"=>"http", "http_rtt"=>{"us"=>255383}, "url"=>"https://myapplication-url.mydomain.com", "tags"=>["beats_input_raw_event"], "duration"=>{"us"=>993180}, "rtt"=>{"us"=>927568}, "@timestamp"=>2017-05-22T12:23:20.834Z, "port"=>443, "resolve_rtt"=>{"us"=>65529}, "response"=>{"status"=>200}, "host"=>"myapplication-url.mydomain.com", "beat"=>{"hostname"=>"build-server.domain.mydomain.com", "name"=> "build-server.domain.mydomain.com", "version"=>"5.4.0"}, "@version"=>"1", "up"=>true}}_
_[2017-05-22T14:25:22,520][DEBUG][logstash.pipeline] output received {"event"=>{"tls_handshake_rtt"=>{"us"=>415247}, "scheme"=>"https", "ip"=>"162.24.10.21", "tcp_connect_rtt"=>{"us"=>211131}, "monitor"=>"http@https://myapplication-url.mydomain.com", "type"=>"http", "http_rtt"=>{"us"=>205383}, "url"=>"https://myapplication-url.mydomain.com", "tags"=>["beats_input_raw_event"], "duration"=>{"us"=>888011}, "rtt"=>{"us"=>831959}, "@timestamp"=>2017-05-22T12:25:20.834Z, "port"=>443, "resolve_rtt"=>{"us"=>55934}, "response"=>{"status"=>200}, "beat"=>{"hostname"=>"build-server.domain.mydomain.com", "name"=>"build-server.domain.mydomain.com", "version"=>"5.4.0"}, "host"=>"myapplication-url.mydomain.com", "@version"=>"1", "up"=>true}}_

It is not creating the heartbeat-logstash- ndex (as mentioned in output filter) and even this hearbeat index name is not logged anywhere in the log file. I have the below .yml file in the elk server.

input {
  beats {
    port => 5044
  }
}
input {
  heartbeat {
    add_field => {
      "role" => "logstash_shipper"
    }
    interval => "10"
    type => "http"
  }
}

## some filter statements to process other filebeat from other servers

output {
  if [type] == "heartbeat" {
   elasticsearch {
   hosts => ["myelk-server.com:9200"]
    manage_template => false
    index => "heartbeat-%{+YYYY.MM.dd}"
  }
  } else
  if [type] == "filebeat" {
  elasticsearch {
    hosts => ["myelk-server.com:9200"]
    manage_template => false
    index => "filebeat-logstash-%{+YYYY.MM.dd}"
  }
 }
}

Please help figure out what I am missing. However, other beat indexes like filebeat, metricbeat are created in the ES without any issues.

2

I'm confused. Where does the Logstash heartbeat plugin come into this? It does nothing more nor less than inject a message into the Logstash pipeline. It does not listen to nor receive any information from the heartbeat beat. Everything that the heartbeat beat sends comes through the regular beats input.

It seems that your line:

if [type] == "heartbeat" {

conflicts with

"type"=>"http"

from the two sample log lines. This might be why nothing is going into the heartbeat-YYYY.MM.dd index.

3

it worked now like a charm. you saved me Aaron. :slight_smile: This is problem for beginner like me.

4

I have the data now in Kibana but there is no return status (response.status) of the URL. I have created a separate post, could you help me with the new issue if i have some wrong code.
the new issue is at Heartbeat - how to send respone.status field to kibana to get URL status

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.