Hello,
I was running filebeat on linux and forwarding the logs to logstash
I then deleted the Linux one and installed one on Windows.
I then started the service and it ran fine, then I checked on Kibana it was only displaying the Linux logs but not properly:
This is my filebeat config:
#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\Windows\System32\winevt\Logs\*
#============================= Filebeat modules ===============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#============================== Dashboards =====================================
setup.dashboards.enabled: true
#============================== Kibana =====================================
setup.kibana:
host: "ip:5601"
#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["ip:5044"]
Any clues to why its not logging the logs I set it to log and instead its still showing Linux ones?
Note: I already deleted all filebeat logs with the following command:
PowerShell.exe Invoke-RestMethod -Method Delete http://10.130.233.242:9200/filebeat-*
Therefore, I have no idea to why it still showing.
edit1: something really weird is happening. I can run filebeat fine on Powershell, but when I go to services.msc it says its not running and if I try to run from there it says: Windows could not start the filebeat service on Local Computer.
edit2: fixed the issue by running these commands on Dev Tools:
PUT _settings
{
"index": {
"blocks": {
"read_only_allow_delete": "false"
}
}
}
PUT filebeat-6.3.1-2018.07.18/_settings
{
"index": {
"blocks": {
"read_only_allow_delete": "false"
}
}
}
PUT filebeat-*/_settings
{
"index": {
"blocks": {
"read_only_allow_delete": "false"
}
}
}
The only issue is that Filebeat is not displaying anything on Kibana Discover, its almost like it's not selecting anything:
and i've put a year to date on time range. So it should be display something. If I go to Managemenet and select filebeat-* it doesn't even select filebeat:
Then if I try to index anything on filebeat, for example todays logs. It gives me this:
and the same goes for Logstash. Winlogbeat works fine though.
edit3: This is what it says when I try to open FIlebeat on discover:
blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];: [cluster_block_exception] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];
Less Info
OK
Error: blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];: [cluster_block_exception] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];
at http://ip:5601/bundles/commons.bundle.js:3:428829
at processQueue (http://10.130.233.242:5601/bundles/vendors.bundle.js:133:134252)
at http://ip:5601/bundles/vendors.bundle.js:133:135201
at Scope.$digest (http://ip:5601/bundles/vendors.bundle.js:133:146077)
at Scope.$apply (http://ip:5601/bundles/vendors.bundle.js:133:148856)
at done (http://ip:5601/bundles/vendors.bundle.js:133:101124)
at completeRequest (http://ip:5601/bundles/vendors.bundle.js:133:106024)
at XMLHttpRequest.xhr.onload (http://ip:5601/bundles/vendors.bundle.js:133:106783)