No indexes created in Elasticsearch

chaire · December 16, 2018, 6:13pm

Hello. I'm using Elastic Stack 6.5 on my Windows 7. My workaround is Filebeat -> Logstash -> Elasticsearch -> Kibana. I run them and they look like working just fine as there's no error occurred. But there's no indexes/indices created in the Elasticsearch, thus my Kibana isn't showing anything.
My question is, what could be the problem or what should I check to find the problem?
Thank you.

pjanzen · December 16, 2018, 7:38pm

Hi,

Can you post you logstash input / filter / output ?

Please use the formatting tools

chaire · December 16, 2018, 7:51pm

Hi, here's my Logstash config.

input {
	beats {
        port => "5044"
    }
}

filter {
	grok {
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
    geoip {
        source => "clientip"
    }
}
output {
	elasticsearch {
        hosts => ["localhost:9200"]
    }
    stdout { codec => rubydebug }
}

pjanzen · December 16, 2018, 7:53pm

Ok, you need to define an index to write to in your elasticsearch output.

Have a look here plugins-outputs-elasticsearch-index

chaire · December 16, 2018, 8:11pm

I've added the index definition but, still no indexes created. Instead, Filebeat seems to stop processing the data (before, it printed out the parsed data to the cmd).
Here's the log from Logstash/Filebeat:

[2018-12-17T03:01:58,118][INFO ][org.logstash.beats.BeatsHandler] [local: 0:0:0:0:0:0:0:1:5044, remote: 0:0:0:0:0:0:0:1:58059] Handling exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
[2018-12-17T03:01:58,119][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:405) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:372) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:355) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:236) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.30.Final.jar:4.1.30.Final]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_45]
Caused by: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84
	at org.logstash.beats.BeatsParser.decode(BeatsParser.java:92) ~[logstash-input-beats-5.1.8.jar:?]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
	... 10 more

pjanzen · December 16, 2018, 8:16pm

I am unsure whats going on here this might help

chaire · December 16, 2018, 8:43pm

Thank you for the suggestion, but I don't think it's SSL issue as I don't have it enabled on both sides. (I made sure to check both config files)

xeraa · December 18, 2018, 11:40pm

Could you add the Filebeat log as well, please?

chaire · January 10, 2019, 9:00am

Sorry for the very late reply.

I just run it again but the Filebeat didn't create any log files anymore (it used to do tho). But, in the command prompt, it wrote this kind of output:

2019-01-10T15:52:11.893+0700    INFO    [monitoring]    log/log.go:144  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":202},"total":{"ticks":857,"value":857},"user":{"ticks":655}},"handles":{"open":159},"info":{"ephemeral_id":"b70ccd0d-a965-4279-95ca-020306ebf7d8","uptime":{"ms":1906959}},"memstats":{"gc_next":4194304,"memory_alloc":2607360,"memory_total":23322816,"rss":8192}},"filebeat":{"events":{"added":1,"done":1},"harvester":{"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":0},"reloads":3},"pipeline":{"clients":6,"events":{"active":0,"filtered":1,"total":1}}},"registrar":{"states":{"current":1,"update":1},"writes":{"success":1,"total":1}}}}}

Also, actually I want to ask, what's the difference of running Filebeat through command prompt and PowerShell?
When I try it on PowerShell, by running ".\filebeat.exe setup" I got message saying "Exiting: Template loading requested but the Elasticsearch output is not configured/enabled"

(I tried on both and I can't remember which one worked and created Filebeat logs earlier.)

chaire · January 10, 2019, 9:02am

Oh, I just checked again and the log was created.
Here it is. Sorry for the confusion.

2019-01-10T15:51:58.731+0700	INFO	instance/beat.go:592	Home path: [D:\filebeat-6.5.2-windows-x86_64] Config path: [D:\filebeat-6.5.2-windows-x86_64] Data path: [D:\filebeat-6.5.2-windows-x86_64\data] Logs path: [D:\filebeat-6.5.2-windows-x86_64\logs]
2019-01-10T15:51:58.865+0700	INFO	instance/beat.go:599	Beat UUID: 13720ea1-7cf1-42eb-a033-8db29b20cc48
2019-01-10T15:51:58.865+0700	INFO	[beat]	instance/beat.go:825	Beat info	{"system_info": {"beat": {"path": {"config": "D:\\filebeat-6.5.2-windows-x86_64", "data": "D:\\filebeat-6.5.2-windows-x86_64\\data", "home": "D:\\filebeat-6.5.2-windows-x86_64", "logs": "D:\\filebeat-6.5.2-windows-x86_64\\logs"}, "type": "filebeat", "uuid": "13720ea1-7cf1-42eb-a033-8db29b20cc48"}}}
2019-01-10T15:51:58.865+0700	INFO	[beat]	instance/beat.go:834	Build info	{"system_info": {"build": {"commit": "b48d073b84e874a182c122d8ef2bad867f714a11", "libbeat": "6.5.2", "time": "2018-11-29T23:03:04.000Z", "version": "6.5.2"}}}
2019-01-10T15:51:58.866+0700	INFO	[beat]	instance/beat.go:837	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
2019-01-10T15:51:58.951+0700	INFO	[beat]	instance/beat.go:841	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-01-07T16:27:24.19+07:00","name":"Aurelia","ip":["fe80::987d:ecc7:3b6f:d919/64","169.254.217.25/16","fe80::a479:6679:e042:97b8/64","192.168.88.23/24","fe80::e86b:f8bf:bf80:3c84/64","169.254.60.132/16","fe80::e9fe:9397:46a7:4468/64","169.254.68.104/16","::1/128","127.0.0.1/8","fe80::e0:0:0:0/64","fe80::5efe:c0a8:5817/128"],"kernel_version":"6.1.7601.17592 (win7sp1_gdr.110408-1631)","mac":["70:f3:95:b2:67:d7","70:f3:95:b2:67:d7","70:f3:95:d4:83:c4","60:eb:69:6f:89:66","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows 7 Professional","version":"6.1","major":1,"minor":0,"patch":0,"build":"7601.0"},"timezone":"+07","timezone_offset_sec":25200,"id":"df7fe80c-f48d-4f51-acc6-ed55f3eb1897"}}}
2019-01-10T15:51:58.952+0700	INFO	[beat]	instance/beat.go:870	Process info	{"system_info": {"process": {"cwd": "D:\\filebeat-6.5.2-windows-x86_64", "exe": "D:\\filebeat-6.5.2-windows-x86_64\\filebeat.exe", "name": "filebeat.exe", "pid": 6840, "ppid": 1676, "start_time": "2019-01-10T15:51:58.601+0700"}}}
2019-01-10T15:51:58.952+0700	INFO	instance/beat.go:278	Setup Beat: filebeat; Version: 6.5.2
2019-01-10T15:52:01.992+0700	INFO	add_cloud_metadata/add_cloud_metadata.go:319	add_cloud_metadata: hosting provider type not detected.
2019-01-10T15:52:01.992+0700	INFO	[publisher]	pipeline/module.go:110	Beat name: Aurelia
2019-01-10T15:52:01.993+0700	ERROR	instance/beat.go:800	Exiting: Template loading requested but the Elasticsearch output is not configured/enabled

xeraa · January 11, 2019, 12:45am

That's the problem. You have configured the Beat to load templates, which is the default. To do that the Beat needs to talk to Elasticsearch directly (and not through Logstash as you have configured it). And because the loading step is failing, Beats just stops and doesn't transfer any data. It is a little hidden in the docs — see the note in Configure Elasticsearch index template loading | Filebeat Reference [8.11] | Elastic.

To fix that: Disable automatic template loading with this setting in the filebeat.yml setup.template.enabled: false and then load it manually: Load the Elasticsearch index template | Filebeat Reference [8.11] | Elastic.

zqc0512 · January 11, 2019, 3:02am

output error.
see the data.

chaire · January 14, 2019, 6:39am

I've followed the instruction. Now the message "Exiting: ..." isn't showing anymore, but there is still no index created in the Elasticsearch. When I run "Start-Service filebeat" nothing showed in the screen.

Here's the latest Filebeat logs.

2019-01-14T13:26:03.906+0700	INFO	instance/beat.go:592	Home path: [D:\filebeat-6.5.2-windows-x86_64] Config path: [D:\filebeat-6.5.2-windows-x86_64] Data path: [D:\filebeat-6.5.2-windows-x86_64\data] Logs path: [D:\filebeat-6.5.2-windows-x86_64\logs]
2019-01-14T13:26:04.245+0700	INFO	instance/beat.go:599	Beat UUID: 3304ca32-b5a1-4858-9967-47569e9b89a4
2019-01-14T13:26:04.245+0700	INFO	[beat]	instance/beat.go:825	Beat info	{"system_info": {"beat": {"path": {"config": "D:\\filebeat-6.5.2-windows-x86_64", "data": "D:\\filebeat-6.5.2-windows-x86_64\\data", "home": "D:\\filebeat-6.5.2-windows-x86_64", "logs": "D:\\filebeat-6.5.2-windows-x86_64\\logs"}, "type": "filebeat", "uuid": "3304ca32-b5a1-4858-9967-47569e9b89a4"}}}
2019-01-14T13:26:04.381+0700	INFO	[beat]	instance/beat.go:834	Build info	{"system_info": {"build": {"commit": "b48d073b84e874a182c122d8ef2bad867f714a11", "libbeat": "6.5.2", "time": "2018-11-29T23:03:04.000Z", "version": "6.5.2"}}}
2019-01-14T13:26:04.422+0700	INFO	[beat]	instance/beat.go:837	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
2019-01-14T13:26:04.659+0700	INFO	[beat]	instance/beat.go:841	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-01-13T21:14:36.03+07:00","name":"Aurelia","ip":["fe80::987d:ecc7:3b6f:d919/64","169.254.217.25/16","fe80::a479:6679:e042:97b8/64","10.5.26.4/22","fe80::e86b:f8bf:bf80:3c84/64","169.254.60.132/16","fe80::e9fe:9397:46a7:4468/64","167.205.34.104/24","::1/128","127.0.0.1/8","fe80::e0:0:0:0/64","fe80::5efe:a05:1a04/128","fe80::200:5efe:a7cd:2268/128","2002:a7cd:2268::a7cd:2268/128"],"kernel_version":"6.1.7601.17592 (win7sp1_gdr.110408-1631)","mac":["70:f3:95:b2:67:d7","70:f3:95:b2:67:d7","70:f3:95:d4:83:c4","60:eb:69:6f:89:66","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows 7 Professional","version":"6.1","major":1,"minor":0,"patch":0,"build":"7601.0"},"timezone":"+07","timezone_offset_sec":25200,"id":"df7fe80c-f48d-4f51-acc6-ed55f3eb1897"}}}
2019-01-14T13:26:04.660+0700	INFO	[beat]	instance/beat.go:870	Process info	{"system_info": {"process": {"cwd": "D:\\filebeat-6.5.2-windows-x86_64", "exe": "D:\\filebeat-6.5.2-windows-x86_64\\filebeat.exe", "name": "filebeat.exe", "pid": 2828, "ppid": 2532, "start_time": "2019-01-14T13:25:42.240+0700"}}}
2019-01-14T13:26:04.660+0700	INFO	instance/beat.go:278	Setup Beat: filebeat; Version: 6.5.2
2019-01-14T13:26:07.825+0700	INFO	add_cloud_metadata/add_cloud_metadata.go:319	add_cloud_metadata: hosting provider type not detected.
2019-01-14T13:26:07.904+0700	INFO	elasticsearch/client.go:163	Elasticsearch url: http://localhost:9200
2019-01-14T13:26:07.942+0700	INFO	[publisher]	pipeline/module.go:110	Beat name: Aurelia
2019-01-14T13:26:07.997+0700	INFO	elasticsearch/client.go:163	Elasticsearch url: http://localhost:9200
2019-01-14T13:26:08.457+0700	INFO	elasticsearch/client.go:712	Connected to Elasticsearch version 6.5.2
2019-01-14T13:26:08.511+0700	INFO	template/load.go:129	Template already exists and will not be overwritten.

Where could I go wrong?

chaire · January 14, 2019, 9:29am

I checked my filebeat.yml again and found mistakes there and fixed it and now it's working fine. Thank you so much.

system · February 11, 2019, 9:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch index not created after adding logstash (works fine with filebeat -> es) Logstash	14	2437	July 20, 2020
Unable to index a file in elasticsearch Elasticsearch	6	1102	November 5, 2017
Couldn't find any Elasticsearch data after deleting indexes Logstash	1	372	April 11, 2019
ELK - 8.6 (Filebeat to logstash) - only write ops with an op_type of create are allowed in data streams Logstash	13	2076	April 26, 2023
Basic understating regarding index creation Logstash	10	2673	August 13, 2021

No indexes created in Elasticsearch

Related Topics