OFFLINE Labs - Issue on loading filebeat data for log-servers

Elastic Community and Ecosystem Elastic Training
1

Dear Team,
I started to setup m offline LABS for the EE 1 and all went well, but for some reason, I am not able to import the log files collected in the ZIP file.

Here what I did:

  1. Followed the step by steps: Running labs on your local machine

  2. when I executed step 8 Run Filebeat to ingest the log files, the process started but nothing happens, the process runs in the background but after hours of running nothing is imported.

  3. I stop and restarted the process adding the -e -d "*" parameters to monitoring the situation.

  4. With the debug mode looks like is not able to process the data.

    2021-02-01T17:10:53.000+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:10:53.000+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:10:53.001+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:03.005+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:03.005+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:03.005+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:13.008+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:13.008+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:13.009+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:22.994+0100 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":21,"time":{"ms":3}},"total":{"ticks":75,"time":{"ms":14},"value":75},"user":{"ticks":54,"time":{"ms":11}}},"info":{"ephemeral_id":"ea141833-7e2d-4c22-b0b0-a4bcd22f40a4","uptime":{"ms":60032}},"memstats":{"gc_next":11149104,"memory_alloc":6111504,"memory_total":19918616,"rss":253952},"runtime":{"goroutines":20}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":1.4795,"15":1.686,"5":1.7266,"norm":{"1":0.0925,"15":0.1054,"5":0.1079}}}}}}
    2021-02-01T17:11:23.012+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:23.012+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:23.012+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:33.016+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:33.016+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:33.017+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:43.018+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:43.018+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:43.019+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:11:52.992+0100 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":24,"time":{"ms":4}},"total":{"ticks":81,"time":{"ms":7},"value":81},"user":{"ticks":57,"time":{"ms":3}}},"info":{"ephemeral_id":"ea141833-7e2d-4c22-b0b0-a4bcd22f40a4","uptime":{"ms":90030}},"memstats":{"gc_next":11149104,"memory_alloc":6701432,"memory_total":20508544,"rss":12288},"runtime":{"goroutines":20}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":1.5259,"15":1.6831,"5":1.7188,"norm":{"1":0.0954,"15":0.1052,"5":0.1074}}}}}}
    2021-02-01T17:11:53.019+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:11:53.019+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:11:53.019+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:12:03.024+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:12:03.024+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:12:03.024+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0
    2021-02-01T17:12:13.025+0100 DEBUG [input] input/input.go:141 Run input
    2021-02-01T17:12:13.025+0100 DEBUG [input] log/input.go:191 Start next scan
    2021-02-01T17:12:13.026+0100 DEBUG [input] log/input.go:212 input states cleaned up. Before: 0, After: 0, Pending: 0

Thank you in advance for your time and support.
Regards,
Francois

2

Hello Francois,

Did you correctly set up the path in the configuration file?

Open the file datasets/filebeat.yml and make sure that the path is correctly set to the directory that contains the zip file you extracted.

For example, my local config looks like this:

 filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /Users/romain/local_lab/datasets/elastic_blog_curated_access_logs_server*/*.log

Let us know if you need further assistance.

Best regards,

Romain

3

Hi Romain,
thank you for your feedback.
Yes the path in the file datasets/filebeat.yml it looks correct setup, I tried an even different approach, with the full path and with the relative path like below.

Ex1:
filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • ./datasets/elastic_blog_curated_access_logs_server*/*.log

ex2:
filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /Users/francoisprotopapa/Applications/elasticsearch-7-8-0/datasets/elastic_blog_curated_access_logs_server*/*.log

I even tried to simplifier it but without success.

Could it be some permission issue? I even run with root, sudo permission.

Thank you for your help.
Regards,
Francois

4

The configuration looks good.

Did you extract the log at the right place ? Run /Users/francoisprotopapa/Applications/elasticsearch-7-8-0/datasets

Also, could you send the full logs from filebeat?

Romain

5

Hi Roman,
yes, the file is unzipped in the folder where the filebeat.yml is pointing ...
I will send you the log via slack :slightly_smiling_face:
Francois

6

UPDATE: Issue fixed by changing the access permission to ALL subfolders in the unzipped main folder. Now the process is running :slight_smile:
thank you for your support :slight_smile:
Regards,
Francois

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.