Setting up Integrations: Fortinet

riahc3 · May 21, 2024, 2:20pm

Here is the logs:

{"log.level":"info","@timestamp":"2024-05-21T16:02:49.044+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"tcp-default","type":"tcp"},"log":{"source":"tcp-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725983232}}}},"cpu":{"system":{"ticks":56690},"total":{"ticks":182780,"value":182780},"user":{"ticks":126090}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"b9a25aba-05dd-4762-907d-3a61278e8ef0","uptime":{"ms":532650062},"version":"8.13.4"},"memstats":{"gc_next":37889968,"memory_alloc":20476568,"memory_total":18041530248,"rss":123686912},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.67,"15":3.77,"5":3.8,"norm":{"1":0.9175,"15":0.9425,"5":0.95}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:49.437+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"udp-default","type":"udp"},"log":{"source":"udp-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725987328}}}},"cpu":{"system":{"ticks":36710},"total":{"ticks":175700,"time":{"ms":10},"value":175700},"user":{"ticks":138990,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"6498ffb7-14a8-4d63-9a41-2452de528995","uptime":{"ms":532650056},"version":"8.13.4"},"memstats":{"gc_next":38041816,"memory_alloc":22587704,"memory_total":17771656016,"rss":119496704},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.67,"15":3.77,"5":3.8,"norm":{"1":0.9175,"15":0.9425,"5":0.95}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:49.727+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725958656}}}},"cpu":{"system":{"ticks":55140,"time":{"ms":10}},"total":{"ticks":413770,"time":{"ms":20},"value":413770},"user":{"ticks":358630,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":12},"info":{"ephemeral_id":"a06cf314-385d-44cb-a102-7a589b0096b6","uptime":{"ms":532650047},"version":"8.13.4"},"memstats":{"gc_next":44418920,"memory_alloc":24658464,"memory_total":32670096832,"rss":128733184},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":3,"added":21,"done":21},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":10,"active":0,"batches":2,"total":10},"read":{"bytes":560,"errors":2},"write":{"bytes":5372,"latency":{"histogram":{"count":34051,"max":160,"mean":26.96484375,"median":22,"min":19,"p75":33,"p95":39,"p99":81.75,"p999":159.0000000000009,"stddev":11.48618116643151}}}},"pipeline":{"clients":1,"events":{"active":3,"filtered":11,"published":10,"total":21},"queue":{"acked":10}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.67,"15":3.77,"5":3.8,"norm":{"1":0.9175,"15":0.9425,"5":0.95}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:49.954+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:49.954+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:50.089+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725970944}}}},"cpu":{"system":{"ticks":16890},"total":{"ticks":212120,"time":{"ms":20},"value":212120},"user":{"ticks":195230,"time":{"ms":20}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"c342f931-c9b1-4741-9da3-d56180e33b09","uptime":{"ms":532650060},"version":"8.13.4"},"memstats":{"gc_next":51672056,"memory_alloc":27553360,"memory_total":10387718560,"rss":140632064},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"acked":2,"active":0,"batches":1,"total":2},"read":{"bytes":202,"errors":1},"write":{"bytes":2138,"latency":{"histogram":{"count":8877,"max":165,"mean":27.6826171875,"median":30,"min":19,"p75":31,"p95":38,"p99":59,"p999":164.20000000000073,"stddev":10.339257454615858}}}},"pipeline":{"clients":8,"events":{"active":0,"published":2,"total":2},"queue":{"acked":2}}},"metricbeat":{"beat":{"state":{"events":1,"success":1},"stats":{"events":1,"success":1}}},"system":{"load":{"1":3.67,"15":3.77,"5":3.8,"norm":{"1":0.9175,"15":0.9425,"5":0.95}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:50.224+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726233088}}}},"cpu":{"system":{"ticks":44040},"total":{"ticks":212710,"time":{"ms":10},"value":212710},"user":{"ticks":168670,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"3a9d1573-1beb-4a46-9878-61d3437ba5ce","uptime":{"ms":532650053},"version":"8.13.4"},"memstats":{"gc_next":52691368,"memory_alloc":29081400,"memory_total":13096319048,"rss":138698752},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":8}},"output":{"events":{"acked":7,"active":0,"batches":1,"total":7},"read":{"bytes":332,"errors":1},"write":{"bytes":2722,"latency":{"histogram":{"count":8878,"max":314,"mean":32.783203125,"median":37,"min":20,"p75":39,"p95":44,"p99":68,"p999":311.4750000000023,"stddev":15.805453935746048}}}},"pipeline":{"clients":8,"events":{"active":0,"published":7,"total":7},"queue":{"acked":7}}},"metricbeat":{"http":{"json":{"events":7,"success":7}}},"system":{"load":{"1":3.67,"15":3.77,"5":3.8,"norm":{"1":0.9175,"15":0.9425,"5":0.95}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:59.277+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:02:59.277+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:01.867+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:01.868+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:11.873+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:11.873+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:15.280+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:15.280+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:18.685+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"log-default","type":"log"},"log":{"source":"log-default"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725962752}}}},"cpu":{"system":{"ticks":45480},"total":{"ticks":198930,"time":{"ms":10},"value":198930},"user":{"ticks":153450,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"55bb5708-e04c-4e94-a060-b10799e23263","uptime":{"ms":532680042},"version":"8.13.4"},"memstats":{"gc_next":38035296,"memory_alloc":21067160,"memory_total":18139060352,"rss":125657088},"runtime":{"goroutines":53}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:18.887+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725962752}}}},"cpu":{"system":{"ticks":1345960,"time":{"ms":70}},"total":{"ticks":3064130,"time":{"ms":160},"value":3064130},"user":{"ticks":1718170,"time":{"ms":90}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"75c9d612-dc1c-426f-8ee8-d30bbea5cf42","uptime":{"ms":532680062},"version":"8.13.4"},"memstats":{"gc_next":54876416,"memory_alloc":50032432,"memory_total":341241096016,"rss":162283520},"runtime":{"goroutines":76}},"libbeat":{"config":{"module":{"running":11}},"output":{"events":{"acked":74,"active":0,"batches":3,"total":74},"read":{"bytes":2377,"errors":3},"write":{"bytes":28126,"latency":{"histogram":{"count":48401,"max":369,"mean":48.958984375,"median":48,"min":30,"p75":54,"p95":71,"p99":123.75,"p999":366.9000000000019,"stddev":19.115251736990174}}}},"pipeline":{"clients":11,"events":{"active":8,"published":67,"total":67},"queue":{"acked":74}}},"metricbeat":{"system":{"cpu":{"events":3,"success":3},"diskio":{"events":18,"success":18},"load":{"events":3,"success":3},"memory":{"events":3,"success":3},"network":{"events":9,"success":9},"process":{"events":22,"success":22},"process_summary":{"events":3,"success":3},"socket_summary":{"events":3,"success":3},"uptime":{"events":3,"success":3}}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:19.044+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"tcp-default","type":"tcp"},"log":{"source":"tcp-default"},"log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725966848}}}},"cpu":{"system":{"ticks":56690},"total":{"ticks":182790,"time":{"ms":10},"value":182790},"user":{"ticks":126100,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"b9a25aba-05dd-4762-907d-3a61278e8ef0","uptime":{"ms":532680062},"version":"8.13.4"},"memstats":{"gc_next":37889968,"memory_alloc":20848344,"memory_total":18041902024,"rss":123686912},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:19.437+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"udp-default","type":"udp"},"log":{"source":"udp-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725966848}}}},"cpu":{"system":{"ticks":36710},"total":{"ticks":175700,"value":175700},"user":{"ticks":138990}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"6498ffb7-14a8-4d63-9a41-2452de528995","uptime":{"ms":532680055},"version":"8.13.4"},"memstats":{"gc_next":38041816,"memory_alloc":22838928,"memory_total":17771907240,"rss":119496704},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:19.726+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725970944}}}},"cpu":{"system":{"ticks":55140},"total":{"ticks":413780,"time":{"ms":10},"value":413780},"user":{"ticks":358640,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":12},"info":{"ephemeral_id":"a06cf314-385d-44cb-a102-7a589b0096b6","uptime":{"ms":532680047},"version":"8.13.4"},"memstats":{"gc_next":44418920,"memory_alloc":26308048,"memory_total":32671746416,"rss":128733184},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":7,"added":17,"done":13},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":8,"active":0,"batches":2,"total":8},"read":{"bytes":508,"errors":2},"write":{"bytes":5086,"latency":{"histogram":{"count":34053,"max":160,"mean":26.96484375,"median":22,"min":19,"p75":33,"p95":39,"p99":81.75,"p999":159.0000000000009,"stddev":11.48618116643151}}}},"pipeline":{"clients":1,"events":{"active":5,"filtered":7,"published":10,"total":17},"queue":{"acked":8}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:20.089+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725999616}}}},"cpu":{"system":{"ticks":16890},"total":{"ticks":212150,"time":{"ms":30},"value":212150},"user":{"ticks":195260,"time":{"ms":30}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"c342f931-c9b1-4741-9da3-d56180e33b09","uptime":{"ms":532680060},"version":"8.13.4"},"memstats":{"gc_next":51691416,"memory_alloc":25644752,"memory_total":10388103256,"rss":140632064},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":8877,"max":165,"mean":27.6826171875,"median":30,"min":19,"p75":31,"p95":38,"p99":59,"p999":164.20000000000073,"stddev":10.339257454615858}}}},"pipeline":{"clients":8,"events":{"active":0}}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:20.224+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":725999616}}}},"cpu":{"system":{"ticks":44040},"total":{"ticks":212720,"time":{"ms":10},"value":212720},"user":{"ticks":168680,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"3a9d1573-1beb-4a46-9878-61d3437ba5ce","uptime":{"ms":532680052},"version":"8.13.4"},"memstats":{"gc_next":53238392,"memory_alloc":26414000,"memory_total":13096535168,"rss":138698752},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":8}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":8878,"max":314,"mean":32.783203125,"median":37,"min":20,"p75":39,"p95":44,"p99":68,"p999":311.4750000000023,"stddev":15.805453935746048}}}},"pipeline":{"clients":8,"events":{"active":0}}},"system":{"load":{"1":3.95,"15":3.79,"5":3.85,"norm":{"1":0.9875,"15":0.9475,"5":0.9625}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:21.897+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:21.897+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:29.285+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:29.286+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:31.131+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:31.131+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:31.263+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:31.263+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:39.910+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:39.910+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:48.684+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"log-default","type":"log"},"log":{"source":"log-default"},"monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726016000}}}},"cpu":{"system":{"ticks":45490,"time":{"ms":10}},"total":{"ticks":198950,"time":{"ms":20},"value":198950},"user":{"ticks":153460,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"55bb5708-e04c-4e94-a060-b10799e23263","uptime":{"ms":532710041},"version":"8.13.4"},"memstats":{"gc_next":38123728,"memory_alloc":18874104,"memory_total":18140909048,"rss":125657088},"runtime":{"goroutines":53}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":2}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:48.887+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726020096}}}},"cpu":{"system":{"ticks":1346050,"time":{"ms":90}},"total":{"ticks":3064310,"time":{"ms":180},"value":3064310},"user":{"ticks":1718260,"time":{"ms":90}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":15},"info":{"ephemeral_id":"75c9d612-dc1c-426f-8ee8-d30bbea5cf42","uptime":{"ms":532710062},"version":"8.13.4"},"memstats":{"gc_next":54424256,"memory_alloc":45179736,"memory_total":341261509296,"rss":162283520},"runtime":{"goroutines":76}},"libbeat":{"config":{"module":{"running":11}},"output":{"events":{"acked":57,"active":0,"batches":2,"total":57},"read":{"bytes":1784,"errors":2},"write":{"bytes":24257,"latency":{"histogram":{"count":48403,"max":369,"mean":48.958984375,"median":48,"min":30,"p75":54,"p95":71,"p99":123.75,"p999":366.9000000000019,"stddev":19.115251736990174}}}},"pipeline":{"clients":11,"events":{"active":22,"published":71,"total":71},"queue":{"acked":57}}},"metricbeat":{"system":{"cpu":{"events":3,"success":3},"diskio":{"events":18,"success":18},"filesystem":{"events":2,"success":2},"fsstat":{"events":1,"success":1},"load":{"events":3,"success":3},"memory":{"events":3,"success":3},"network":{"events":9,"success":9},"process":{"events":23,"success":23},"process_summary":{"events":3,"success":3},"socket_summary":{"events":3,"success":3},"uptime":{"events":3,"success":3}}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:49.044+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"tcp-default","type":"tcp"},"log":{"source":"tcp-default"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726024192}}}},"cpu":{"system":{"ticks":56700,"time":{"ms":10}},"total":{"ticks":182810,"time":{"ms":20},"value":182810},"user":{"ticks":126110,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"b9a25aba-05dd-4762-907d-3a61278e8ef0","uptime":{"ms":532710062},"version":"8.13.4"},"memstats":{"gc_next":37889968,"memory_alloc":22628272,"memory_total":18043681952,"rss":123686912},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:49.437+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"udp-default","type":"udp"},"log":{"source":"udp-default"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726024192}}}},"cpu":{"system":{"ticks":36720,"time":{"ms":10}},"total":{"ticks":175720,"time":{"ms":20},"value":175720},"user":{"ticks":139000,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":16},"info":{"ephemeral_id":"6498ffb7-14a8-4d63-9a41-2452de528995","uptime":{"ms":532710055},"version":"8.13.4"},"memstats":{"gc_next":38613112,"memory_alloc":20469920,"memory_total":17773539888,"rss":119496704},"runtime":{"goroutines":47}},"filebeat":{"events":{"active":0},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:49.727+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726028288}}}},"cpu":{"system":{"ticks":55150,"time":{"ms":10}},"total":{"ticks":413800,"time":{"ms":20},"value":413800},"user":{"ticks":358650,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":12},"info":{"ephemeral_id":"a06cf314-385d-44cb-a102-7a589b0096b6","uptime":{"ms":532710047},"version":"8.13.4"},"memstats":{"gc_next":44418920,"memory_alloc":27860304,"memory_total":32673298672,"rss":128733184},"runtime":{"goroutines":46}},"filebeat":{"events":{"active":5,"added":17,"done":19},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":8,"active":0,"batches":1,"total":8},"read":{"bytes":358,"errors":1},"write":{"bytes":3988,"latency":{"histogram":{"count":34054,"max":160,"mean":26.96484375,"median":22,"min":19,"p75":33,"p95":39,"p99":81.75,"p999":159.0000000000009,"stddev":11.48618116643151}}}},"pipeline":{"clients":1,"events":{"active":5,"filtered":9,"published":8,"total":17},"queue":{"acked":8}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:49.913+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:49.913+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"tls","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:50.089+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726073344}}}},"cpu":{"system":{"ticks":16900,"time":{"ms":10}},"total":{"ticks":212160,"time":{"ms":10},"value":212160},"user":{"ticks":195260}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"c342f931-c9b1-4741-9da3-d56180e33b09","uptime":{"ms":532710060},"version":"8.13.4"},"memstats":{"gc_next":51691416,"memory_alloc":26689208,"memory_total":10389147712,"rss":140632064},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":4}},"output":{"events":{"acked":2,"active":0,"batches":1,"total":2},"read":{"bytes":202,"errors":1},"write":{"bytes":2087,"latency":{"histogram":{"count":8878,"max":165,"mean":27.6826171875,"median":30,"min":19,"p75":31,"p95":38,"p99":59,"p999":164.20000000000073,"stddev":10.339257454615858}}}},"pipeline":{"clients":8,"events":{"active":0,"published":2,"total":2},"queue":{"acked":2}}},"metricbeat":{"beat":{"state":{"events":1,"success":1},"stats":{"events":1,"success":1}}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:50.224+0200","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":726081536}}}},"cpu":{"system":{"ticks":44050,"time":{"ms":10}},"total":{"ticks":212740,"time":{"ms":20},"value":212740},"user":{"ticks":168690,"time":{"ms":10}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":17},"info":{"ephemeral_id":"3a9d1573-1beb-4a46-9878-61d3437ba5ce","uptime":{"ms":532710053},"version":"8.13.4"},"memstats":{"gc_next":53238392,"memory_alloc":27584608,"memory_total":13097705776,"rss":138698752},"runtime":{"goroutines":77}},"libbeat":{"config":{"module":{"running":8}},"output":{"events":{"acked":7,"active":0,"batches":1,"total":7},"read":{"bytes":332,"errors":1},"write":{"bytes":2702,"latency":{"histogram":{"count":8879,"max":314,"mean":32.783203125,"median":37,"min":20,"p75":39,"p95":44,"p99":68,"p999":311.4750000000023,"stddev":15.805453935746048}}}},"pipeline":{"clients":8,"events":{"active":0,"published":7,"total":7},"queue":{"acked":7}}},"metricbeat":{"http":{"json":{"events":7,"success":7}}},"system":{"load":{"1":3.79,"15":3.78,"5":3.82,"norm":{"1":0.9475,"15":0.945,"5":0.955}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:53.292+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:53.292+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:59.925+0200","message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":179,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-21T16:03:59.925+0200","message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-default","type":"system/metrics"},"log":{"source":"system/metrics-default"},"log.logger":"tls","log.origin":{"file.line":199,"file.name":"tlscommon/tls_config.go","function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.trustRootCA"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}

Here is a snippet of the tcpdump I THINK you asked for:

16:14:42.192241 IP (tos 0x0, ttl 64, id 16153, offset 0, flags [none], proto UDP (17), length 829)
    172.20.5.214.19976 > 172.20.5.110.9004: [udp sum ok] UDP, length 801
	0x0000:  4500 033d 3f19 0000 4011 d50c ac14 05fe  E..=?...@.......
	0x0010:  ac14 0564 4e08 232c 0329 b0a6 3c31 3333  ...dN.#,.)..<133
	0x0020:  3e31 2032 3032 342d 3035 2d32 3154 3134  >1.2024-05-21T14
	0x0030:  3a31 343a 3431 5a20 534e 542d 4657 2d4e  :14:41Z.TRW-FW-N
	0x0040:  442d 3031 202d 202d 202d 202d 2065 7665  D-01.-.-.-.-.eve
	0x0050:  6e74 7469 6d65 3d31 3731 3633 3030 3838  nttime=171630088
	0x0060:  3135 3833 3036 3331 3232 2074 7a3d 222b  1583063122.tz="+
	0x0070:  3032 3030 2220 6c6f 6769 643d 2230 3030  0200".logid="000
	0x0080:  3030 3030 3031 3322 2074 7970 653d 2274  0000013".type="t
	0x0090:  7261 6666 6963 2220 7375 6274 7970 653d  raffic".subtype=
	0x00a0:  2266 6f72 7761 7264 2220 6c65 7665 6c3d  "forward".level=
	0x00b0:  226e 6f74 6963 6522 2076 643d 2243 4953  "notice".vd="COM
	0x00c0:  5445 4322 2073 7263 6970 3d31 3732 2e31  ANY".srcip=112.1
	0x00d0:  362e 352e 3231 2073 7263 706f 7274 3d35  6.8.1.srcport=5
	0x00e0:  3735 3238 2073 7263 696e 7466 3d22 5332  7528.srcintf="S2
	0x00f0:  532d 494e 582d 3031 2220 7372 6369 6e74  S-SOME-01".srcint
	0x0100:  6672 6f6c 653d 2275 6e64 6566 696e 6564  frole="undefined
	0x0110:  2220 6473 7469 703d 3137 322e 3230 2e35  ".dstip=171.11.2
	0x0120:  2e31 3030 2064 7374 706f 7274 3d35 3134  .101.dstport=514
	0x0130:  2064 7374 696e 7466 3d22 564c 414e 2d32  .dstintf="VLAN-2
	0x0140:  3030 3522 2064 7374 696e 7466 726f 6c65  005".dstintfrole
	0x0150:  3d22 6c61 6e22 2073 7263 636f 756e 7472  ="lan".srccountr
	0x0160:  793d 2252 6573 6572 7665 6422 2064 7374  y="Reserved".dst
	0x0170:  636f 756e 7472 793d 2252 6573 6572 7665  country="Reserve
	0x0180:  6422 2073 6573 7369 6f6e 6964 3d35 3433  d".sessionid=543
	0x0190:  3834 3831 3837 2070 726f 746f 3d31 3720  848187.proto=17.
	0x01a0:  6163 7469 6f6e 3d22 6163 6365 7074 2220  action="accept".
	0x01b0:  706f 6c69 6379 6964 3d31 3220 706f 6c69  policyid=12.poli
	0x01c0:  6379 7479 7065 3d22 706f 6c69 6379 2220  cytype="policy".
	0x01d0:  706f 6c75 7569 643d 2263 6261 3465 3466  poluuid="cba4e4f
	0x01e0:  632d 6261 6362 2d35 3165 652d 6435 3330  c-bacb-51ee-d530
	0x01f0:  2d35 6335 3362 6264 6264 6264 3722 2070  -5c53bbdbdbd7".p
	0x0200:  6f6c 6963 796e 616d 653d 2241 6363 6573  olicyname="Asses
	0x0210:  6f20 636c 6965 6e74 6573 2053 7973 6c6f  o.clentsss.Syslo
	0x0220:  6722 2075 7365 723d 224d 5049 534f 4e22  g".user="USERSS"
	0x0230:  2061 7574 6873 6572 7665 723d 2243 6973  .authserver="COM
	0x0240:  7465 6320 4144 2220 7365 7276 6963 653d  ANY.AD".service=
	0x0250:  2253 5953 4c4f 4722 2074 7261 6e64 6973  "SYSLOG".trandis
	0x0260:  703d 226e 6f6f 7022 2064 7572 6174 696f  p="noop".duratio
	0x0270:  6e3d 3138 3020 7365 6e74 6279 7465 3d37  n=180.sentbyte=7
	0x0280:  3620 7263 7664 6279 7465 3d30 2073 656e  6.rcvdbyte=0.sen
	0x0290:  7470 6b74 3d31 2072 6376 6470 6b74 3d30  tpkt=1.rcvdpkt=0
	0x02a0:  2076 706e 7479 7065 3d22 6970 7365 6376  .vpntype="ipsecv
	0x02b0:  706e 2220 6170 7063 6174 3d22 756e 7363  pn".appcat="unsc
	0x02c0:  616e 6e65 6422 2064 7374 6877 7665 6e64  anned".dsthwvend
	0x02d0:  6f72 3d22 564d 7761 7265 2220 6473 7464  or="VMware".dstd
	0x02e0:  6576 7479 7065 3d22 5072 6f78 7920 5365  evtype="Proxy.Se
	0x02f0:  7276 6572 2220 6d61 7374 6572 6473 746d  rver".masterdstm
	0x0300:  6163 3d22 3030 3a35 303a 3536 3a62 383a  ac="00:30:16:98:
	0x0310:  3835 3a33 6522 2064 7374 6d61 633d 2230  85:3e".dstmac="0
	0x0320:  303a 3530 3a35 363a 6238 3a38 353a 3365  0:10:66:98:85:3e
	0x0330:  2220 6473 7473 6572 7665 723d 30         ".dstserver=0

reaux · May 29, 2024, 11:57am

HI Riahc3,

I had the same issue and we just found it. In our scenario the issue was found in Fleet -> settings -> Outputs. There was only a default output which pointed to localhost, but since these settings are being pushed to the agents they can't forward the logs to the stack. Changing the output to the stack fixed it. You also have to define the desired output in an agent policy. (or change the default output using CLI/config files).

riahc3 · July 30, 2024, 8:25am

Thank you for your suggestion.

Mine is pointing to the private IP of the machine (not localhost). Is this correct? Do I need to change it to something else?

riahc3 · July 31, 2024, 12:19pm

OK I got something working but it just proves that the documentation is HORRIBLE explaining it....

There needs to be much more examples.

Also, you cant seem to put a Elastic Agent and a Fleet Server on the same server.....It just works if you put it separately.

leandrojmp · July 31, 2024, 12:28pm

In which way? Please provide some example of what you think it is missing in the documentation.

The documentation can be confusing some times, mostly because there is no example for about anything.

Yeah, but this is documented.

You can install only a single Elastic Agent per host.

Fleet Server is an Elastic Agent integration, so if you want to run more things in the same server you need to add the integrations on the fleet server policy.

riahc3 · August 2, 2024, 9:37am

In which way? Please provide some example of what you think it is missing in the documentation.

The documentation can be confusing some times, mostly because there is no example for about anything.

Exact step by step with images showing examples. There is way too much filler and clutter text.

Yeah, but this is documented.

Don't make stuff up. As of 2024-08-02, you search "Fleet" in that exact document and there is NO line that says specifically "Please note, Elastic Agent and Fleet Server CANNOT be installed on the same server" . I dont care about policies, etc. They are NOT the same and cannot be installed on the same server. These comments are insulting because you treat people like idiots saying "it is documented" when in that exact link, there is nothing that specifically states that...

Fleet Server is an Elastic Agent integration , so if you want to run more things in the same server you need to add the integrations on the fleet server policy.

Just that, per say, is confusing: The Fleet Server controls each Elastic Agent (from what I am saying). Saying they are the same or/and using the same terms, is just confusing things.

Its like saying Kibana and Elasticsearch are the same thing: You need Kibana to visualize Elasticsearch but they are different components and need to be serperate. Imagine having to run:

./elasticsearch --install-kibana
./elasticsaerch --install-elasticsearch

Makes 0 sense.

leandrojmp · August 2, 2024, 1:13pm

I understand your frustation and agree that the documentation can be heavily improved, but please be polite, no one here is making stuff up.

While this forum is managed and moderated by Elastic, it is no official support, does not have any kind of SLA and most of the people answers question voluntarily, I do not work for Elastic.

We always refer to the documentation because it is the starting pointing, and most people skip it or rush through it missing important things, sorry if you felt insulted, it was never the intention.

I have nothing else to add besides what I already said in previous answers and the links already shared, as I said I agree that the documentation can be improved, but it needs to be noted that the documentation resembles a developer documentation, they are not tutorials, you won't find step by step guides.

Unfortunately there is a steep learning curve that requires you to navigate through the many topics in the documentation.

If you have any complaining about things not been clearly said you need to direct it to Elastic by a PR on one of their repositories.

riahc3 · August 5, 2024, 10:05am

no one here is making stuff up

My issue is mainly that you replied that it is documented that the Fleet Server and Elastic Agent cannot be installed on the same server and proceed to link to documentation where it doesnt say that. Maybe I missed it but I honestly do not see it.

developer documentation, they are not tutorials, you won't find step by step guides.

I completely agree on this point and I believe this needs to be reworked: Developer documentation and system administrator documentation.

Wazuh is very similar to ELK where it uses OpenSearch and Logstash and their documentation is waaaaaaaaaay better

system · August 5, 2024, 10:05am

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance. See What is OpenSearch and the OpenSearch Dashboard? | Elastic for more details.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

leandrojmp · August 5, 2024, 12:31pm

Maybe my words weren't clear, but what I said is that you cannot install two Elastic Agent on the same servers, you can have only one Agent per server, I assumed that you had an Agent working as Fleet Server and wanted to install another Agent to get your logs on the same server.

What needs to be clear is that Fleet Server and Elastic Agent are not different tools, Fleet Server is a process that runs inside Elastic Agent, is that clear? It is also recommended that the Agent running Fleet Server does not have other integrations to get data, but if it is required, you can have the Elastic Agent that works as the Fleet Server to also collect data, that's why I said that you could add the integration to the fleet server policy.

Both of those things are explained in the documentation linked in previous post, but as mentioned you need to navigate through it to understand what is an Elastic Agent, what is a Fleet Server and how Policies work.

To work with Elastic Agent I would say that it is required to understand what is the Elastic Agent, what is a Fleet Server, what are integration and how they work and what are policies and how they work, this was what I needed to read about when I started using it.

I don't think you can compare, Wazuh is pretty limited compared with Elastic tools, it is basically a single log collector, it is easier to get better documentation when your scope is smaller.

riahc3 · August 5, 2024, 12:52pm

Maybe my words weren't clear, but what I said is that you cannot install two Elastic Agent on the same servers, you can have only one Agent per server, I assumed that you had an Agent working as Fleet Server and wanted to install another Agent to get your logs on the same server.

The documentation makes it 100% clear that two Elastic Agents cannot be installed on the same server.

What needs to be clear is that Fleet Server and Elastic Agent are not different tools, Fleet Server is a process that runs inside Elastic Agent, is that clear?

That is clear under my own investigation and, IMO, that is not clear in the documentation at all...

It is also recommended that the Agent running Fleet Server does not have other integrations to get data, but if it is required, you can have the Elastic Agent that works as the Fleet Server to also collect data, that's why I said that you could add the integration to the fleet server policy.

I have attempted to do this but its either the Fleet Server and/or the Elastic Agent...

Yet you make it confusing when I mention "you cant seem to put a Elastic Agent and a Fleet Server on the same server" agree that is documented (when it isnt: You can put only ONE Elastic Agent on one host but have all the integrations you want/system resources) and now you mention it can do it. So you are basically going back and forth

To work with Elastic Agent I would say that it is required to understand what is the Elastic Agent, what is a Fleet Server, what are integration and how they work and what are policies and how they work, this was what I needed to read about when I started using it.

The documentation and the integration needs to be way more detailed. The step by step in the integration does not work as is: For example, the port mentioned in the integration I believe goes agaist TCP 443 when that is for Elastic Cloud: Those are the little things that need to be improved to make a installation step by step.

I don't think you can compare

Both use the same stack as their engine. Even though their endgoal are different, they work similar

Topic		Replies	Views
What is Elastic agent? Elastic Agent	7	597	November 24, 2022
Difference between number of fortigate firewall logs on Logstash and Elastic-agent managed by fleet Elasticsearch docker	5	432	November 3, 2023
Fortigate integration with ELK Beats beats-module , filebeat	4	1409	November 23, 2021
Elastic agent with Ingest pipeline Elastic Agent	18	271	September 24, 2024
CISCO FTD Integration Kibana	11	436	July 4, 2024

Setting up Integrations: Fortinet

Related topics