Hello Team,
I am using ELK 6.4.0 and beat (Filebeat) 6.4.0. My architecture is Filebeat->Logstash->Elasticsearch->Kibana.
I have installed Filebeat on my 20 servers and sending auth.log, syslog, nginx access.log and application log on kibana using filebeat. I have defined prospector input for paths.
For 15 servers everything is working fine. But on 5 servers nginx access log and application logs are reaching on kibana. But auth.log and syslog are not reaching on kibana dashboard for same 5 servers.
I have verified that the logs are available in auth.log and syslog files on all 5 servers.
Below is my filebeat.yml config:-
#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
# - /var/log/*.log
- /var/apps/mobilock/shared/log/production.log
#- c:\programdata\elasticsearch\logs\*
exclude_lines: ['^.*health.*$']
fields_under_root: true
fields:
type: application_log
#multiline.match: after
multiline.pattern: '[A-Z]{1}, \[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
- type: log
enabled: true
paths:
- /var/log/syslog
fields_under_root: true
fields:
type: syslog_logs
- type: log
enabled: true
paths:
- /var/log/auth.log
fields_under_root: true
fields:
type: auth_logs
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields_under_root: true
fields:
type: nginx_access
I have run the filebeat in debug mode and found that offset is updating whenever we make any activity for auth.log. Its means filebeat is reading the auth.log file properly.
Can you please help me to troubleshoot this strange behavior?
Any assistance will be appreciated.
Thanks.