No results found for none of filebeat modules in Kibana Dashboard

Hello all,
I am using Kibana-elasticsearch-filebeat 6.0.0. After the installation and configuration I manage to enter Kibana and I can perfectly see all the desired logs in the "Discover" tab. But, for some reason I can't see anything in the "Dashboard" regardless of which Filebeat module I pick (tried System as that's the one I enabled).

Kindly assist me as fast as you can.

Thanks
Yan

Could you paste a sample System event from the "Discover" tab? Check the instructions on how to get the JSON from an event.

Also, make sure that the time picker in the top-right corner is selecting a range that has filebeat System events in it.

I'm on version 6.0.1, but I've got something similar as well. The fileset.module for both apache2 and nginx (along with the access fileset.name) works just fine.

The system fileset module, along with the syslog and auth fileset.name fields are not being shown. This is despite having C&P'ed the example logstash filter from the logstash documentation (the example filter for apache2 worked just fine).

I've configured the paths in the system.yml within the modules.d directory and the apache2.yml paths. Apache2? fileset names and modules no problem. System along with syslog and auth? not there. The logs are there, just not the sorting.

Edit: I believe - at least for my problem - the issue is with logstash. If I configure the modules and have filebeat output go to elasticsearch directly rather than logstash, the system fileset.module and fileset.name DO appear.

Edit-2: Filebeat modules work via output to elasticsearch when filebeat is running on the same server that's hosting elasticsearch. Filebeat modules do not work when output through logstash to elasticsearch, but the log is recorded in the index. Filebeat modules do not work when connecting to elasticsearch remotely AND are not recorded into the index at all.

Looks like the issue was solved after some basic rsyslog configuration and restart to the rsyslog service. For some reason I didn't see any note in the site to verify that.

What changes did you make to the rsyslog configuration to get things working?

I uncommented the tcp and udp configuration and restarted the service.
BTW, when working with filebeat the logs are actually saved twice: first in /var/log/syslog and then in elastic. Perhaps its better to use logstash instead of filebeat here and somehow just forward the logs to elasticsearch without saving?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.