Docker container for REK stack
pschiffe/rsyslog-elasticsearch-kibana
Log forwarding confgiuration on IPA server
So basically I have a configuration containing 2 servers IPA and REK and I can see all the data on Kibana so Rsyslog is sending properly data to REK's Rsyslog which transfert it to Elasticsearch for the parsing.
The problem is that pschiffe/rsyslog-elasticsearch-kibana comes with some dashboards to simplify the visualization of all these data https://www.youtube.com/watch?v=7YjA6z5nE0I which is not working.
Hi,
What do you mean by "is not working"? Are the dashboards there but not showing any data? Or are the dashboards not there?
If the dashboards are there but not showing any data, can you check your time range in the upper-right corner of Kibana and try setting it to something very large, like Last 2 years just to see if it shows data in that case.
If you don't have the dashboards at all, how were they loaded? I'm not familiar with this freeipa set of docker containers.
Hi,
The problem is that the docker pschiffe/rsyslog-elasticsearch-kibana comes with a REK stack pre-configured to stach data from IPA server on port UDP 512 and show these data in dashboard in Kibana https://www.youtube.com/watch?v=7YjA6z5nE0I but those dashboard shows no result despite that a lot of data is pumped into Kibana.
Your initial comment says "4.1.1****Centos 7.3:" Are you saying the Kibana version is 4.1.1? If so, this is rather old now. I don't know if this REK stack is being maintained if it's still using that version.
But to diagnose your issue, we could start by checking the data in Elasticsearch. You can get a list of all the indexes and counts of data with something like this in a browser;
http://localhost:9200/_cat/indices
Or in a shell with curl like this (in this case I'm adding my username and password in the url as elastic:changeme);
$ curl -s http://elastic:changeme@localhost:9200/_cat/indices
yellow open .watcher-history-2-2017.01.05 tHZf-G-vQ46yvw-xrYCB4Q 1 1 9414 0 1.8mb 1.8mb
yellow open .kibana vN8djBWvS4WJqoJzdGREhw 1 1 211 118 430.6kb 430.6kb
yellow open packetbeat-2017.01.05 _J272AaiTjaI1shlgjs_Zw 5 1 126130 0 27.3mb 27.3mb
yellow open filebeat-2017.01.05 H42kAA15REiLPxGGUo-x7Q 5 1 12022 0 2.6mb 2.6mb
yellow open .monitoring-data-2 khkXoqYaTdWnRcRVV3KyLA 1 1 3 0 7kb 7kb
yellow open metricbeat-2017.01.05 IAVdj_G8RXy_DdOPc-Brcw 5 1 645056 0 168mb 168mb
yellow open .watches WKx6QTivRlCo6q21RDXOQg 1 1 1 0 2.9kb 2.9kb
yellow open .monitoring-kibana-2-2017.01.05 ZpY09ktBSce4dLB30qUQ5Q 1 1 4750 0 1mb 1mb
yellow open .reporting-2017.01.01 kHWd08tvQq2QotvEkfrMEQ 5 1 3 0 1000.1kb 1000.1kb
green open .security EuUPaL0mQLWSlEevALOvVg 1 0 5 0 21.9kb 21.9kb
yellow open .monitoring-es-2-2017.01.05 zSLCzP-IQMSNqzb26cR8-Q 1 1 90244 390 46.9mb 46.9mb
yellow open logstash-2017.01.05 TsbV7FBnR5-O35M3J1pk-A 5 1 1683 0 555.2kb 555.2kb
yellow open .triggered_watches WTlyX8vXTy6axdoxEfFmtA 1 1 0 0 295.9kb 295.9kb
You might have to use the hostname or IP address instead of localhost.
In my data above you see for example that packetbeat-2017.01.05 has 126130 documents loaded.
Can you confirm you see your expected index with documents in it?
Then in Kibana, go to Settings (now called Management in 5.x release), then you should see at least one index pattern defined (near top-left, should have a star next to it).
Click on that and it should show a set of fields.
Maybe you have more than one index pattern?
Then go to Discover. It should load data from your index pattern automatically. Do you see data there? If you have more than one index pattern you might have to select the correct one.
If you don't see data here in Discover, don't bother going to Dashboard. Please let me know how it goes up to this point.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.