Problem with filebeat (installed in different servers)

kimfut · July 25, 2018, 11:11am

hello everyone ,

i have a problem with filebeat i think , i will explain :

i have server A and B and C , all run filebeat with the same configuration , the server A run logstash and elasticseach , so when i added file in Server B it's okay i can see log in elasticseach (via kibana) which runing on A

but when i added files in server A (which run ELK ) or server C , nothing happen .

i dont know why , i am not sure if this message log of logstash that i got can explain something :

logstash_1 | [2018-07-25T11:10:33,455][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-cluster2", :_type=>"doc", :_routing=>nil}, #LogStash::Event:0x16221c45], :response=>{"index"=>{"_index"=>"logstash-cluster2", "_type"=>"doc", "_id"=>"c_Ii0WQBpZGgqA6VJVnt", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:37"}}}}}

shaunak · July 25, 2018, 12:16pm

As a test, could you try this:

stop Filebeat in server B and C (but keep Filebeat, Elasticsearch, Logstash, and Kibana still running on server A)
add the same log file that got indexed correctly earlier from server B to server A.

Do you still get the same error?

kimfut · July 25, 2018, 2:42pm

thank you for your reply , i tried it but doen't work , know i think it's a logstash problem , because when i added : stdout { codec => rubydebug } in logstash config , i can show logs come from every filebeat on each server , so i have to move to logstash forum

system · August 22, 2018, 2:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.