Not able to see filebeat-* index pattern in kibana

Parthgandhi · April 6, 2018, 10:22am

Hi,
I did a fresh installation of ELK stack on a single server and installed filebeat on the same server to view and analyze the syslog.

http://robwillis.info/2017/04/elk-5-on-ubuntu-pt-2-installing-and-configuring-elasticsearch-logstash-kibana-nginx/

However i am unable to see any index pattern. I am using 6.x in place of 5.x.

Thanks.

atira · April 6, 2018, 10:37am

I would recommend posting your configurations, filebeat, logstash, elasticsearch.

Parthgandhi · April 6, 2018, 11:18am

HI, PFB the configs for all the components.

Kibana.yml : https://pastebin.com/KBWEhCbJ
elasticsearch.yml : https://pastebin.com/tKXaqqCw
filebeat.yml : https://pastebin.com/LiXMhA96
logstash - input, filter and output conf: https://pastebin.com/21JzaaYW

Parthgandhi · April 6, 2018, 2:40pm

Ok, so i installed winlogbeat and filebeat on different machine and was able to create the index. Will try to check further what was issue on the ELK server where i installed filebeat initially to get syslog.

atira · April 6, 2018, 3:08pm

Your filebeat configuration seems to be off.
You're sending the output to Elasticsearch, not to Logstash.

output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]

#output.logstash:
# The Logstash hosts
# hosts: ["localhost:5044"]

If you want to send it to Logstash, comment out the Elasticsearch part and uncomment the Logstash part.

Also, you turned the prospector off:

filebeat.prospectors:
...
enabled: false

Which means afaik that it actually won't run. Set it to true.

Parthgandhi · April 18, 2018, 2:20pm

I had to scrap my previous setup and create a new ELK setup. I have installed ELK on one linux machine and filebeat on Windows machine which has my IIS logs. I created a logstash pipeline for filtering IIS logs. I am unable to get my filebeat index. I installed winlodbeat on the same machine and i am able to create index for that.

Below are my configs file:
Logstash : https://pastebin.com/Yw413rUr
Filebeat: https://pastebin.com/7R1ikfQ2

atira · April 18, 2018, 3:01pm

Is this true? Is your logstash host's name really logstashIP?

hosts: ["logstashIP:5044"]

What do the logs say?

Parthgandhi · April 19, 2018, 7:51am

@atira IT is hosted on AWS with public IP hence used logstashIP as just placeholder. I installed filebeat on 3 machines last night and strangely i am able to see the filebeat index for one machine and not others.

atira · April 19, 2018, 10:02am

There might be some network issue in AWS.
What does the Filebeat and Logstash log say?
Unfortunately I not familiar with AWS.

system · May 17, 2018, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.