Metricbeat data not flowing into elasticsearch

Gauti · August 7, 2018, 12:50pm

Hi All,

Got into a small trouble, have installed metric beat in few VM's which was sending data to elasticsearch and was able to view all the dashboards properly, and the VM firewall was turned off.

There was a vulnerability so i had to enable the windows firewall and post that metricbeat data from those machines are not flowing into elasticsearch, I have created an inbound and outbound rule to allow port 5601 and 9200 in the Vm, still not luck. Any advice on this please?

To confirm the port open i have done a telnet to elasticsearch and kibana with respective port and its working.

Thanks
Gauti

jsoriano · August 7, 2018, 1:22pm

Hi @Gauti,

In principle this doesn't look like a problem on metricbeat Were the firewall rules added in the host or in the guests?
Did you try to connect with telnet from the same guests where metricbeat is running?
Can you see any error in metricbeat logs?

Gauti · August 7, 2018, 1:33pm

yeah @jsoriano You are rite there is no problem with metricbeat,but for this scenario i thought this is the best place to ask the question.
firewall rules are added in guest, yes i tried telnet with both the ports 5601 and 9200, telnet is happening successfully.
mericbeat log doesnot have any information it has only one line which contains the config file path and logfile path, nothing else there in the log file.

Thanks
Gauti

jsoriano · August 7, 2018, 1:48pm

This is weird, I guess you already tried to restart metricbeat after the change in the firewall rules?

Gauti · August 7, 2018, 3:16pm

yeah i did that too, i even restarted the guest OS, still no luck

Thanks
Gauti

jsoriano · August 7, 2018, 3:53pm

Does curl from the guest to port 9200 in elasticsearch also work?

Gauti · August 8, 2018, 6:17am

@jsoriano should i need to just mention "curl <'IP Address'> 9200" ?

tried the same way its throwing connection refused error

Thanks
Gauti

jsoriano · August 8, 2018, 10:03am

It'd be curl <IP address>:9200 (notice the : between host and port)

Gauti · August 8, 2018, 10:48am

i'm getting the output @jsoriano

FYI..

Thanks
Gauti

jsoriano · August 8, 2018, 11:13am

Was this executed from the same guest where metricbeat is not working?
Is metricbeat configured to use the ip address too, or a hostname?

Gauti · August 8, 2018, 11:55am

yeah it is from the same guest machine, beat is configured to use IP address only.

Thanks
Gauti

jsoriano · August 8, 2018, 12:04pm

Umm, let's go back to the root of the question How are you checking that there is no data in elasticsearch? I'm thinking now that maybe metricbeat is being able to send data, but is Kibana the one that has problems connecting to elasticsearch and this is why you cannot see anything...

If everything between kibana and elasticsearch is fine, to continue investigating the problem in metricbeat, could you enable debug logging with logging.level: debug and check again the logs for any problem related with connectivity?

jsoriano · August 8, 2018, 12:09pm

By the way, you can also test the connectivity between metricbeat and its output with metricbeat test output.

Gauti · August 8, 2018, 1:01pm

my bad ,my bad, my bad.......sorry for wasting your time @jsoriano all these time i was checking whether data is flowing in or not by just clicking the beat.hostname on the lefthand side and checking how many hosts are there.it was showing only one.

After your question only i have searched for beat.hostname in the query field and got the output, yeah i'm getting all the documents flowing into elasticsearch.
Thank you very much for your patience and proper questions asked.

btw here is the screenshot of connection output

Thanks
Gauti

jsoriano · August 8, 2018, 1:13pm

No problem, happy to see that you found the issue

system · September 5, 2018, 1:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.