No data passed from Filebeat

Elastic Stack Beats
1

I'm pretty new to this software, but trying to set up Kibana, Elasticsearch, Filebeat, and Logstash.

The set up I'm trying to achieve is as such. Kibana, ES, Logstash are all on one server, for this sake, we'll say 1.1.1.1, I want to send the logs from other servers to Logstash, so that I can view them in Kibana, on 1.1.1.1.

I've installed ES, Kibana, Logstash, with the following settings:

// KIBANA.YML
# File managed by Puppet.
---
server.port: '5601'
server.host: "1.1.1.1"

Kibana works fine, and can be accessed via the web.

// LOGSTASH.yml
path.data: "/var/lib/logstash"
path.config: "/etc/logstash/conf.d"
path.logs: "/var/log/logstash"
http.port: '9700'

This is the ES set up on 1.1.1.1

output {
  if [@metadata][pipeline] {
	elasticsearch {
  	hosts => ["localhost:9200"]
  	manage_template => false
  	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  	pipeline => "%{[@metadata][pipeline]}"
	}
  } else {
	elasticsearch {
  	hosts => ["localhost:9200"]
  	manage_template => false
  	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
	}
  }
}

And this is my "beats" config on 1.1.1.1

input {
  beats {
    port => 9700
  }
}

And then this is one of my other servers, say 2.2.2.2, which is running filebeat

### Filebeat configuration managed by Puppet ###
---
name: server1..
tags: []
fields: {}
fields_under_root: false
filebeat:
  config.inputs:
    enabled: true
    path: "/etc/filebeat/conf.d/*.yml"
  config.modules:
    enabled: false
    path: "/etc/filebeat/modules.d/*.yml"
  modules: []
  overwrite_pipelines: false
  shutdown_timeout: '0'
  registry:
    path: "/var/lib/filebeat"
    file_permissions: '0600'
    flush: 0s
  autodiscover: {}
http: {}
cloud: {}
queue: {}
output:
  logstash:
    hosts:
    - 1.1.1.1:9700
    loadbalance: true
shipper: {}
logging: {}
runoptions: {}
processors: []
setup: {}

Everything seems to be working fine, but if I run:
curl -XGET 'http://1.1.1.1:9200/filebeat-*/_search?pretty', I get:

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

which seems like nothing has been sent to Logstash/ES; I looked at the Digital Ocean tutorial which said to run:

filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["1.1.1.1:9200"]'

filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['1.1.1.1:9200'] -E setup.kibana.host=1.1.1.1:5601

but there was no change? Does anyone know what I've been doing wrong? I'm missing something potentially obvious here, I think, but can't figure out what?

2

Hi @OAuthority Welcome to the community!

Interesting looks a lot like this thread... do you really need logstash? or are you just following some 3rd party blog...

In the end you are going to need to look at the logs for filebeat and logstash to see what is going on... you can post them here perhaps someone can help.

3

Thanks.

I've tried to cut out the middleman, and send the logs directly to ES.

I've followed the ES docks this time, and I've successfully set up the dashboards, using the set up command, and set filebeat to send the logs to Kibana. I've enabled to nginx module, for both access and error logs, but there is still no data in Kibana that I can see?

I know there is data in the access and error log for Nginx, so I should be seeing something? I can see a filebeat-* index on the left, but it is empty? Nothing in the error log at all for Filebeat?

adapted config:

name: server1..
tags: []
fields: {}
fields_under_root: false
filebeat:
  config.inputs:
    enabled: true
    path: "/etc/filebeat/conf.d/*.yml"
  config.modules:
    enabled: true
    path: "/etc/filebeat/modules.d/*.yml"
  modules: []
  overwrite_pipelines: false
  shutdown_timeout: '0'
  registry:
    path: "/var/lib/filebeat"
    file_permissions: '0600'
    flush: 0s
  autodiscover: {}
http: {}
cloud: {}
queue: {}
output:
  elasticsearch:
    hosts: ["IP:9200"]
    username: ""
    password: ""
shipper: {}
runoptions: {}
processors: []
setup.kibana:
  host: "http://IP:5601"
  username: ""
  password: ""

EDIT:
It appears there is something in the log, but not very descriptive?

2023-12-29T20:12:50.297Z        INFO    instance/beat.go:698    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2023-12-29T20:12:50.297Z        DEBUG   [beat]  instance/beat.go:756    Beat metadata path: /var/lib/filebeat/meta.json
2023-12-29T20:12:50.297Z        INFO    instance/beat.go:706    Beat ID: bc438165-9b9e-4f2f-bfb5-2de401292771
2023-12-29T20:12:50.297Z        INFO    [beat]  instance/beat.go:1052   Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "bc438165-9b9e-4f2f-bfb5-2de401292771"}}}
2023-12-29T20:12:50.297Z        INFO    [beat]  instance/beat.go:1061   Build info      {"system_info": {"build": {"commit": "b474d2803ed2961f23f614d7213d9099fb0b4354", "libbeat": "7.17.15", "time": "2023-11-08T19:08:34.000Z", "version": "7.17.15"}}}
2023-12-29T20:12:50.297Z        INFO    [beat]  instance/beat.go:1064   Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.20.10"}}}
2023-12-29T20:12:50.298Z        INFO    [beat]  instance/beat.go:1070   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-11-20T11:38:52Z","containerized":false,"name":"mw1","ip":["127.0.0.1","::1","10.0.0.3","fe80::80d:36ff:fe0a:fdc2"],"kernel_version":"5.15.0-88-generic","mac":["0a:0d:36:0a:fd:c2"],"os":{>
2023-12-29T20:12:50.298Z        INFO    [beat]  instance/beat.go:1099   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lo>
2023-12-29T20:12:50.298Z        INFO    instance/beat.go:292    Setup Beat: filebeat; Version: 7.17.15
2023-12-29T20:12:50.298Z        DEBUG   [beat]  instance/beat.go:318    Initializing output plugins
2023-12-29T20:12:50.298Z        INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'filebeat-7.17.15' as ILM is enabled.
2023-12-29T20:12:50.298Z        INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: http://IP:9200
2023-12-29T20:12:50.298Z        DEBUG   [publisher]     pipeline/consumer.go:148        start pipeline event consumer
2023-12-29T20:12:50.298Z        INFO    [publisher]     pipeline/module.go:113  Beat name: mw1..
4

I managed to play around with it a bit, and if I do:

filebeat:
  inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/hello.log

and add something to hello.log, its pushed to Kibana, so it's working in that respect, but for some reason, none of the OOTB modules are working, such as Nginx, or system, despite them being enabled, and content as such:

- module: nginx
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/nginx/access.log*"]

Not sure what exactly is going on here?

5

What are the names of the files in that directory.

In Kibana -> Dev Tools run

GET _cat/indices/filebeat*/?v

If they are old did you look at the proper time frame?

In filebeat.yml you can also comment out

output.elasticsearch: section

and put in

output.console:

and filebeat will print what it is reading to the console

just start filebeat -e

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.