Not getting data into Elasticsearch

markov · June 27, 2019, 1:37pm

Hi all,

i'm sending logs using filebeat but i don't receive anything in kibana
x-pack is enabled

I created a logstash writer role

> POST _xpack/security/role/logstash_writer
> {
> "cluster": ["manage_index_templates", "monitor"],
> "indices": [
> {
> "names": [ "filebeat-*" ],
> "privileges": ["write","delete","create_index"]
> }
> ]
> }

Then a logstash internal user:

> POST _xpack/security/user/logstash_internal
> {
> "password" : "changeme",
> "roles" : [ "logstash_writer"],
> "full_name" : "Internal Logstash User"
> }

I then run the following command

> systemctl status -l logstash`

> Jun 27 15:29:10 sd-131865 logstash[23755]: [2019-06-27T15:29:10,956][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"security_exception", "reason"=>"action [indices:admin/create] is unauthorized for user [logstash_internal]"})
> Jun 27 15:29:10 sd-131865 logstash[23755]: [2019-06-27T15:29:10,958][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>125}

what am i doing wrong!

markov · June 27, 2019, 2:02pm

This is my .conf files
02-beats-input.conf

input {
  beats {
    port => 5044
 }
}

10-syslog-filter.conf

filter {
     if [source] =~ "gid" {
        grok {
            match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\|(\[%{BASE10NUM:nbr}\])\|%{IPORHOST:ClientIP}\|%{USERNAME:User};%{DATA:Node}\|%{URIPATH:Url}\|%{NOTS$
        }
     }else if [source] =~ "server" {

        grok {
            match =>{ "message" => [

                "(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:Loglevel} \[(?<Classname>[^\]]+)\] %{GREEDYDATA:Message}",
                "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:Loglevel}  \[(?<Classname>[^\]]+)\] %{WORD:n} \| %{NUMBER:number} \| %{WORD:b} \| %{DATA:Url} \| %{GREEDYDAT$
                "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:Loglevel}  \[(?<Classname>[^\]]+)\] %{GREEDYDATA:Message}"] }
        }
      }
  date {match => [ "timestamp" , "MMM dd yyyy HH:mm:ss","MMM d yyyy HH:mm:ss", "ISO8601" ]
      target => "@timestamp"}

  mutate {
        remove_field => [ "[beat][name]", "[beat][version]", "[beat][hostname]", "[host][architecture]", "[host][containerized]", "[host][id]", "[host][name]", "[host]$
  }
}

30-elasticsearch-output.conf

output {
  elasticsearch {
    hosts => ["myIpAdress:9200"]
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    user => "logstash_internal"
    password => "admin10@"
    document_type => "%{[@metadata][type]}"
  }
}

dadoonet · June 27, 2019, 4:24pm

You should try to add a stdout output to see if anything is produced.

Some thoughts: why using logstash in that case? Elasticsearch ingest feature should be ok to do the filter part you want.
So connect filebeat to elasticsearch directly and define the pipeline to use.

markov · June 28, 2019, 10:28am

stdout added, but receiving the operating system logs in elastic

markov · June 28, 2019, 10:58am

bad, i have my own log files to send with the path defined in filebeat

dadoonet · June 28, 2019, 10:58am

What is a typical document you can see on stdout?

markov · June 28, 2019, 11:02am

sorry this is the first time using the stdout; how can i see those documents

dadoonet · June 28, 2019, 11:15am

In the console.

system · July 26, 2019, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No data moving into elasticsearch Beats filebeat	22	6589	May 16, 2018
Logs are not updating in elastic search just after installing Xpack Elasticsearch	8	1654	April 5, 2018
Filebeat/Logstash doesn't send system.auth.. field data to Elastic Search - v 7.14 Beats beats-module , filebeat	3	406	September 15, 2021
No output to Elasticsearch Logstash	2	1706	July 6, 2017
Kibana not seeing filebeat index Kibana	3	1409	September 7, 2017

Not getting data into Elasticsearch

Related topics