i have 3 beats winlogbeat (server os windows), filebeat and auditbeat (server os linux). when i pointing winlogbeat to logstash there's no problem to receive log.
but when i pointing filebeat and auditbeat to logstash, why no logs are received, but when I point directly to the elasticsearch server the logs are accepted properly?
what's wrong with my configuration?
Can we see your configuration (beats and logstash)?
Did you setup the indices first? See Load the Elasticsearch index template | Auditbeat Reference [8.11] | Elastic
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
#- /var/log/*.log
#- /var/log/messages*
#- /var/adm/syslog.log
- /var/log/auth.log
- /var/log/syslog
#- c:\programdata\elasticsearch\logs\*
here's for the output
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["10.194.11.67:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["10.194.11.69:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/filebeat/logstash-forwarder.crt"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
in logstash i make this 3 file
Your Filebeat config looks fine. What does filebeat test output show?
And when running Filebeat what's in the FIlebeat log?
From the filebeat host what happens when you run
telnet 10.194.11.69 5044
"no route to host"
Well then you have a network connectivity issue between the filebeat host and the Logstash host that needs to be solved. FW, subnet, routing etc. something
It's not a Filebeat issue.
aaah i see, but when i pointing to server elasticsearch there's no problem, whereas one ip segment with logstash server
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
