Syslog and filebeat assistance request

This thread might help a little bit. I skimmed your thread quickly but you might want to look at this as well for the indices issue. Logstash can not write date into elasticsearch after activating elastic security

Happy to help @Brian_Tima, hmm so unfortunately only data from the expiring syslog server but not the new one?

Sorry if I'm missing something, @Ryan_Downey, can you clarify on the indices issue that the post you linked relates to?
I don't think Brian is running into any indices issues. I just mentioned checking on indices in the last 2 posts to see if data is making its way through his pipeline but it's not the initial problem.

A quick summary is that a previously working setup ([(1)Syslog -> Filebeat] -> [(2)Logstash -> Kafka -> Zookeeper] -> [(2)Elasticsearch] -> [(1)Kibana]) where the syslog server is on EL5 is not working on a new setup using EL7.

I think @Brian_Tima, we confirmed your traffic flow and confirmed that there is nothing wrong with this part of the pipeline [Logstash -> Kafka -> Zookeeper -> Elasticsearch] (because we confirmed your old logs are making their way through), we've definitely isolated the problem to the new syslog server and its filebeat.

The problem is you stated earlier that it is using the same Filebeat version and the same filebeat.yml contents... So not sure what the issue could be. Did you happen to take a look into the different syslog version? Maybe a file permissions issue for the /var/logs folder, depending on the user that Filebeat is running under?

I have not been successful at finding an easy way to install the same version of syslog that is on the old server onto the new server.
The version on the old server is rsyslog-5.8.10-7.0.1.el5_11
The version on the new server is rsyslog-8.24.0-41.el7_7.x86_64

I am seeing filebeat possibly ship logs at this time... running filebeat in debug mode shows the [publish] event below. There are many many many [publish] events.

When I search kibana for a timestamp seen from my new server kibana reported this error
Courier Fetch: 1 of 23 shards failed.

I did delete the index and recreate it, still not seeing my new server as a in my results.

2019-08-30T10:46:23.554-0500	DEBUG	[publish]	pipeline/processor.go:309	Publish 
event: {
  "@timestamp": "2019-08-30T15:46:23.553Z",
  "@metadata": {
  "beat": "filebeat",
"type": "doc",
"version": "6.8.2"
"offset": 416900956,
"log": {
"file": {
  "path": "/var/log/messages"
"message": "Aug 30 10:36:27 1xx.8x.12x.xx named[18855]: client 1xx.1xx.1x4.1x#17997 ( query '' denied",
"prospector": {
"type": "log"
"input": {
"type": "log"
"beat": {
"name": "slp-xg9",
"hostname": "slp-xg9",
"version": "6.8.2"
"host": {
"name": "slp-xg9"
"source": "/var/log/messages"

My problem has been solved! Thank you @justkind @Ryan_Downey @stephenb for your input!

on the ingest-2-server (slp-3zp) I edited the file


by adding the following

output {
   if [beat][hostname] == "slp-xg9" {
     kafka {
       codec             => json
       topic_id          => syslog
       bootstrap_servers => ','

on the ingest-1-server (slp-b3c) I edited the file


with the same logic for the output

Also, from my syslog/filebeat server (slp-xg9) I commented out the output.logstash section and uncommented my info in the output.elasticsearch section in the filebeat config file


Then ran

./filebeat setup

Then changed my output back for output.logstash to

  hosts: [""]

In Kibana, I deleted the syslog-* index pattern and recreated it.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.