Unable to map Filebeat in Kibana (5.4.0)

Elastic Stack Beats
1

Hi there,

I am having some trouble mapping Filebeat in Kibana after doing a clean install to 5.4.0. I have followed the Filebeat guide and have attempted to get it working for a while with no success. I have added a screenshot below which shows the notification error I get when attempting to map Filebeat. You can see by the image, filebeat has been installed (and is running as a service) and is available as an indexing pattern, but this is not the case according to the error. Could someone please shed some light on this and how I go about fixing this?

Filebeat error message.JPG1915×446 84.7 KB

It is worth noting that the ES, Kibana and beats installation is on an offline Windows Server 2012 R2 VM and therefore I needed to import the beats dashboard offline using the -file command. Also, I have changed all the necessary fields in the filebeat.yml to the IP address of ES, rather than using localhost, and have tested this config file which was ok.

I would really appreciate some assistance on this as I have been pulling the little hair I have left out. Thanks in advanced. Happy to provide more information if necessary.

BMV

2

What are the exact steps that lead you to that screenshot?

I can see the index created on the left so I don't fully understand the error

3

The steps I took are as follows:

  1. Ran PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
  2. in the filebeat.yml and filebeat.full.yml files, I changed output.elasticsearch hosts ["localhost:9200"] to ["host IP address:9200"]. I'm not going through logstash so I left that part unchanged.
  3. I'm attempting to use the file.template.json file, so I have left this unchanged.
  4. Started the service by Start-Service filebeat which I confirm starts successfully.
  5. Because this VM is offline and there is no way it could go online, I downloaded beats-dashboards-5.4.0.zip and put it within the following directory: c:\ELK-Stack\filebeat\scripts\ folder.
  6. I run the following command: .\scripts\import_dashboards -file c:\ELK-Stack\filebeat\scripts\beats-dashboards-5.4.0.zip -es http://ip of my ES host:9200
  7. An extract of the above results are in the image below:

image.png851×557 678 KB

  1. Restart the ES, Kibana and filebeat services.
  2. Open Kibana and wait for around 2 minutes and then go into management.
  3. Try to refresh filebeats mapping and get the error as seen in my first post.

I hope this answers your question in regards to the steps I took. Am I missing something or doing something wrong?

Worth pointing out that Winlogbeat and packetbeat are working well.

Hope you or someone else can assist!

Thanks

BMV

4

Hi all,

Just a quick update on this issue.

Despite the error, I am still able to send filebeat logs to the ES host and view them in Kibana as intended. The problem remains that I am still unable to modify or refresh the filebeat index pattern in Kibana due to this notification error. Ideally I would still like to get an insight on what is causing this problem and attempt to fix it. If anyone has any ideas, I'm all ears.

Thanks.

BMV

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.