Several filebeat installations on a Kibana / Elasticsearch server in one log file

sharbich · November 11, 2022, 4:21pm

Hello,

I have filebeat installed on a host and all syslog data is sent to Elasticsearch / Kibana. Visible via (Discover / Dashboard).
Now I would like to install filebeat on another host and also transfer the syslog data to the same server as above.
That means I want both syslog files to be visible in one (Discover / Dashboard).
Separated by the computer name.
Unfortunately, this is not possible with the same filebeat.yml.

Here is my filebeat.yml file:

logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: dsme01
keepfiles: 7
permissions: 0640

All filebeat.yml are identical except this entry is changed in each:

name: dsme01

What am I doing wrong?

sharbich · November 11, 2022, 5:56pm

The filebeat.yml is identical on all Linux hosts.

root@dsme01:~# cat /etc/filebeat/filebeat.yml 
###################### Filebeat Configuration Example #########################
filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log
# ============================== Filebeat modules ==============================
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
# ======================= Elasticsearch template setting =======================
setup.template.settings:
  index.number_of_shards: 1
  index.number_of_replicas: 1
# ================================== General ===================================
# ================================= Dashboards =================================
# =================================== Kibana ===================================
setup.kibana:
  host: "https://kibana.intern.example.com:5601"
  ssl.enabled: true
  ssl.verification_node: "none"
# =============================== Elastic Cloud ================================
# ================================== Outputs ===================================
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  hosts: ["node1.elasticsearch.intern.example.com:9200"]
  protocol: "https"
  ssl.certificate_authourities: ["/etc/ssl/certs/HarbichCA.cacert.pem"]
  username: "elastic"
  password: "#######"
# ------------------------------ Logstash Output -------------------------------
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
# ================================== Logging ===================================
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: dsme01
  keepfiles: 7
  permissions: 0640
# ============================= X-Pack Monitoring ==============================
# ============================== Instrumentation ===============================
# ================================= Migration ==================================

Except for the following entry:

name: dsme01

Each host has a different name in it

Why can't I see all hosts in Kibana under "Discover" & "filebeat_*" & "Kibana"?

warkolm · November 13, 2022, 11:43pm

What do the Filebeat logs on one of the other hosts show?

sharbich · November 14, 2022, 8:32pm

I got syslog working via filebeat and logstash after elasticsearch.

system · December 12, 2022, 10:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.