Metricbeat data not flowing into elasticsearch

Elastic Stack Beats
1

Hi All,

Got into a small trouble, have installed metric beat in few VM's which was sending data to elasticsearch and was able to view all the dashboards properly, and the VM firewall was turned off.

There was a vulnerability so i had to enable the windows firewall and post that metricbeat data from those machines are not flowing into elasticsearch, I have created an inbound and outbound rule to allow port 5601 and 9200 in the Vm, still not luck. Any advice on this please?

To confirm the port open i have done a telnet to elasticsearch and kibana with respective port and its working.

Thanks
Gauti

2

Hi @Gauti,

In principle this doesn't look like a problem on metricbeat :thinking: Were the firewall rules added in the host or in the guests?
Did you try to connect with telnet from the same guests where metricbeat is running?
Can you see any error in metricbeat logs?

3

yeah @jsoriano You are rite there is no problem with metricbeat,but for this scenario i thought this is the best place to ask the question.
firewall rules are added in guest, yes i tried telnet with both the ports 5601 and 9200, telnet is happening successfully.
mericbeat log doesnot have any information it has only one line which contains the config file path and logfile path, nothing else there in the log file.

Thanks
Gauti

4

This is weird, I guess you already tried to restart metricbeat after the change in the firewall rules?

5

yeah i did that too, i even restarted the guest OS, still no luck

Thanks
Gauti

6

Does curl from the guest to port 9200 in elasticsearch also work?

7

@jsoriano should i need to just mention "curl <'IP Address'> 9200" ?

tried the same way its throwing connection refused error

Thanks
Gauti

8

It'd be curl <IP address>:9200 (notice the : between host and port)

9

i'm getting the output @jsoriano

FYI..
image

Thanks
Gauti

10

Was this executed from the same guest where metricbeat is not working?
Is metricbeat configured to use the ip address too, or a hostname?

11

yeah it is from the same guest machine, beat is configured to use IP address only.

Thanks
Gauti

12

Umm, let's go back to the root of the question :slight_smile: How are you checking that there is no data in elasticsearch? I'm thinking now that maybe metricbeat is being able to send data, but is Kibana the one that has problems connecting to elasticsearch and this is why you cannot see anything...

If everything between kibana and elasticsearch is fine, to continue investigating the problem in metricbeat, could you enable debug logging with logging.level: debug and check again the logs for any problem related with connectivity?

13

By the way, you can also test the connectivity between metricbeat and its output with metricbeat test output.

14

my bad ,my bad, my bad.......sorry for wasting your time @jsoriano all these time i was checking whether data is flowing in or not by just clicking the beat.hostname on the lefthand side and checking how many hosts are there.it was showing only one.

After your question only i have searched for beat.hostname in the query field and got the output, yeah i'm getting all the documents flowing into elasticsearch.
Thank you very much for your patience and proper questions asked.

btw here is the screenshot of connection output
image

Thanks
Gauti

15

No problem, happy to see that you found the issue :slight_smile:

1 Like
16

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.