Unable to send logs using Filebeat to Logstash

Hi Team,

I am trying to send logs in .json file on one of my server to Logstash using Filebeat. Below are the configs I did on the Filebeat & Logstash but I am not able to send it successfully. Your suggestions and help will be much appreciated.

Filebeat configs on filebeat.yml -->

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/ossec/logs/archives.json
`

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["10.x.x.x:xxx"]


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Configs on Logstash side -

input.conf -->

input {
  beats {
    port => xxx
    type => custom_log
    codec => json_lines {
      delimiter => "\0"
    }
  }

------------------------------------------------------------------------
output.conf -->

output {
if [type] == "custom_log" {
    kafka  {
      bootstrap_servers => "10.x.x.x:xxx"
      topic_id => "wazuh"
      codec => "json"
    }
    file  {
      path => "/var/log/syslog/wazuh-%{+YYYY-MM-dd}.log"
    }
  }
}


Thanks.

Welcome to our community!

It's not clear why you think this is not working sorry. You will need to provide logs from Filebeat and Logstash so we can see what is happening.

These are the error logs -

(bllogstash-virtual-machine) any->/var/log/syslog Feb 21 11:12:27 bllogstash-virtual-machine systemd[1380674]: Stopped Service for snap application snapd-desktop-integration.snapd-desktop-integration.","tags":["_jsonparsefailure"],"@timestamp":"2023-02-21T04:03:57.919040009Z","@version":"1"}
{"decoder":{"name":"rootcheck"},"agent":{"id":"000","name":"wazuh-virtual-machine"},"timestamp":"2023-02-21T09:28:39.509+0800","@timestamp":"2023-02-21T04:14:23.341634846Z","type":"wazuh_log","@version":"1","full_log":"Starting rootcheck scan.","data":{"title":"Starting rootcheck scan."},"location":"rootcheck","id":"1676942919.0","manager":{"name":"wazuh-virtual-machine"}}

This is another issue I am facing where agent is failing to start -

root@wazuh-virtual-machine:~# systemctl status filebeat.service
× filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2023-02-22 09:59:18 HKT; 1s ago
Docs: Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic
Process: 140775 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=2)
Main PID: 140775 (code=exited, status=2)
CPU: 95ms

Feb 22 09:59:18 wazuh-virtual-machine filebeat[140775]: rip 0x7f080ba96a7c
Feb 22 09:59:18 wazuh-virtual-machine filebeat[140775]: rflags 0x246
Feb 22 09:59:18 wazuh-virtual-machine filebeat[140775]: cs 0x33
Feb 22 09:59:18 wazuh-virtual-machine filebeat[140775]: fs 0x0
Feb 22 09:59:18 wazuh-virtual-machine filebeat[140775]: gs 0x0
Feb 22 09:59:18 wazuh-virtual-machine systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
Feb 22 09:59:18 wazuh-virtual-machine systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
Feb 22 09:59:18 wazuh-virtual-machine systemd[1]: filebeat.service: Start request repeated too quickly.
Feb 22 09:59:18 wazuh-virtual-machine systemd[1]: filebeat.service: Failed with result 'exit-code'.
Feb 22 09:59:18 wazuh-virtual-machine systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..

You need to check your system logs to see why the service was not started, check on /var/log/syslog around the time it stopped.

Also, why do you have this in the logstash input?

    codec => json_lines {
      delimiter => "\0"
    }

The archives.json file that Wazuh creates already has one json event per line, you do not need this codec configuration.

Thanks for your response @leandrojmp.
I have removed the delimiter from logstash input.

Also noticed that filbeat agent is active now but still there is some issue, here are the /var/log/syslog -

Feb 22 10:31:43 wazuh-virtual-machine filebeat[141283]: 2023-02-22T10:31:43.357+0800#011INFO#011[monitoring]#011log/log.go:184#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":-532480}}}},"cpu":{"system":{"ticks":410,"time":{"ms":9}},"total":{"ticks":4020,"time":{"ms":50},"value":4020},"user":{"ticks":3610,"time":{"ms":41}}},"handles":{"limit":{"hard":524288,"soft":1024},"open":11},"info":{"ephemeral_id":"ca8b925c-0141-42b1-87ba-e5daa218884a","uptime":{"ms":330033},"version":"7.15.1"},"memstats":{"gc_next":14113392,"memory_alloc":8728744,"memory_total":1093165824,"rss":83038208},"runtime":{"goroutines":28}},"filebeat":{"events":{"active":-5,"added":72,"done":77},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":77,"active":0,"batches":14,"total":77},"read":{"bytes":84},"write":{"bytes":20562}},"pipeline":{"clients":1,"events":{"active":0,"published":72,"total":72},"queue":{"acked":77}}},"registrar":{"states":{"current":3,"update":77},"writes":{"success":14,"total":14}},"system":{"load":{"1":0.12,"15":0.02,"5":0.06,"norm":{"1":0.06,"15":0.01,"5":0.03}}}}}}
Feb 22 10:31:43 wazuh-virtual-machine rsyslogd: omfwd: remote server at 10.x.x.x:xxx seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2112.0 try https://www.rsyslog.com/e/2027 ]
Feb 22 10:31:43 wazuh-virtual-machine rsyslogd: action 'action-7-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2112.0 try https://www.rsyslog.com/e/2007 ]
Feb 22 10:31:43 wazuh-virtual-machine rsyslogd: action 'action-7-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2112.0 try https://www.rsyslog.com/e/2359 ]

Please format your logs using the Preformatted text option, the </> button, it makes easier to read the logs.

There is nothing in the log you shared that suggests anything wrong with Filebeat, it is not clear what is your current issue.

Is Filebeat running or not? Look for WARN or ERROR lines in the log.

Thanks @leandrojmp . I have corrected the fomat in the previous message.
Yes, filebeat is running but the message I sent earlier is in the /var/log/syslog.

Also on the logstash side this is what I received, which doesn't looks like the expected logs -

{`"ecs":{"version":"1.11.0"},"message":"{\"timestamp\":\"2023-02-22T10:30:51.752+0800\",\"agent\":{\"id\":\"001\",\"name\":\"bllogstash-virtual-machine\",\"ip\":\"10.x.x.x\"},\"manager\":{\"name\":\"wazuh-virtual-machine\"},\"id\":\"1677033051.21383\",\"full_log\":\"Feb 22 10:30:51 bllogstash-virtual-machine systemd[1380674]: Started Service for snap application snapd-desktop-integration.snapd-desktop-integration.\",\"predecoder\":{\"program_name\":\"systemd\",\"timestamp\":\"Feb 22 10:30:51\",\"hostname\":\"bllogstash-virtual-machine\"},\"decoder\":{\"name\":\"systemd\"},\"location\":\"/var/log/syslog\"}","event":{"original":"{\"timestamp\":\"2023-02-22T10:30:51.752+0800\",\"agent\":{\"id\":\"001\",\"name\":\"bllogstash-virtual-machine\",\"ip\":\"10.x.x.x\"},\"manager\":{\"name\":\"wazuh-virtual-machine\"},\"id\":\"1677033051.21383\",\"full_log\":\"Feb 22 10:30:51 bllogstash-virtual-machine systemd[1380674]: Started Service for snap application snapd-desktop-integration.snapd-desktop-integration.\",\"predecoder\":{\"program_name\":\"systemd\",\"timestamp\":\"Feb 22 10:30:51\",\"hostname\":\"bllogstash-virtual-machine\"},\"decoder\":{\"name\":\"systemd\"},\"location\":\"/var/log/syslog\"}"},"host":{"os":{"platform":"ubuntu","family":"debian","name":"Ubuntu","kernel":"5.19.0-32-generic","codename":"jammy","type":"linux","version":"22.04 (Jammy Jellyfish)"},"name":"wazuh-virtual-machine","mac":["00:0c:29:15:a4:1e"],"ip":["10.x.x.x","fe80::aa26:e157:e495:c628"],"id":"24ed17383d96472da3dc8e2f251f0333","containerized":false,"architecture":"x86_64","hostname":"wazuh-virtual-machine"}"@timestamp":"2023-02-22T02:30:53.445Z","@version":"1","tags":["beats_input_codec_plain_applied"],"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":61659868},"type":"wazuh_log","agent":{"ephemeral_id":"ca8b925c-0141-42b1-87ba-e5daa218884a","name":"wazuh-virtual-machine","type":"filebeat","id":"7455124a-f2c5-482a-9ca4-a3e8f26710b8","version":"7.15.1","hostname":"wazuh-virtual-machine"},"input":{"type":"log"}}`

Do you see any worng in my configs ?

This is a message created by a Wazuh agent, collected from the wazuh json file by filebeat and sent to Logstash, this means that filebeat is correctly reading the archives.json file and sending it to Logstash.

Not sure what you expected to receive. Can you provide more context?

Are you expecting individual fields? If so, you need to parse the message in Logstash with a json filter.

You would need something like this in your Logstash configuration:

filter {
    json {
        source => "message"
    }
}

Thanks for your response @leandrojmp.
Yes, I am trying to send Wazuh agent logs which gets collected on archives.json file on Wazuh manager. I have installed Filebeat to ship logs from archives.json to logstash.

I am now able to ship the logs from archives.json to logstash but there seems to be a parsing or delimiter issue.
This is the log I am getting on logstash -

`{"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":65400666},"ecs":{"version":"1.11.0"},"event":{"original":"{\"timestamp\":\"2023-02-22T11:12:21.971+0800\",\"rule\":{\"level\":8,\"description\":\"New user added to the system.\",\"id\":\"5902\",\"mitre\":{\"id\":[\"T1136\"],\"tactic\":[\"Persistence\"],\"technique\":[\"Create Account\"]},\"firedtimes\":1,\"mail\":false,\"groups\":[\"syslog\",\"adduser\"],\"pci_dss\":[\"10.2.7\",\"10.2.5\",\"8.1.2\"],\"gpg13\":[\"4.13\"],\"gdpr\":[\"IV_35.7.d\",\"IV_32.2\"],\"hipaa\":[\"164.312.b\",\"164.312.a.2.I\",\"164.312.a.2.II\"],\"nist_800_53\":[\"AU.14\",\"AC.7\",\"AC.2\",\"IA.4\"],\"tsc\":[\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"001\",\"name\":\"bllogstash-virtual-machine\",\"ip\":\"10.x.x.x\"},\"manager\":{\"name\":\"wazuh-virtual-machine\"},\"id\":\"1677035541.34568\",\"full_log\":\"Feb 22 11:12:21 bllogstash-virtual-machine useradd[2292151]: new user: name=cool, UID=1002, GID=1002, home=/home/cool, shell=/bin/bash, from=/dev/pts/2\",\"predecoder\":{\"program_name\":\"useradd\",\"timestamp\":\"Feb 22 11:12:21\",\"hostname\":\"bllogstash-virtual-machine\"},\"decoder\":{\"parent\":\"useradd\",\"name\":\"useradd\"},\"data\":{\"dstuser\":\"cool\",\"uid\":\"1002\",\"gid\":\"1002\",\"home\":\"/home/cool\",\"shell\":\"/bin/bash,\"},\"location\":\"/var/log/auth.log\"}"},"message":"{\"timestamp\":\"2023-02-22T11:12:21.971+0800\",\"rule\":{\"level\":8,\"description\":\"New user added to the system.\",\"id\":\"5902\",\"mitre\":{\"id\":[\"T1136\"],\"tactic\":[\"Persistence\"],\"technique\":[\"Create Account\"]},\"firedtimes\":1,\"mail\":false,\"groups\":[\"syslog\",\"adduser\"],\"pci_dss\":[\"10.2.7\",\"10.2.5\",\"8.1.2\"],\"gpg13\":[\"4.13\"],\"gdpr\":[\"IV_35.7.d\",\"IV_32.2\"],\"hipaa\":[\"164.312.b\",\"164.312.a.2.I\",\"164.312.a.2.II\"],\"nist_800_53\":[\"AU.14\",\"AC.7\",\"AC.2\",\"IA.4\"],\"tsc\":[\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"001\",\"name\":\"bllogstash-virtual-machine\",\"ip\":\"10.x.x.x\"},\"manager\":{\"name\":\"wazuh-virtual-machine\"},\"id\":\"1677035541.34568\",\"full_log\":\"Feb 22 11:12:21 bllogstash-virtual-machine useradd[2292151]: new user: name=cool, UID=1002, GID=1002, home=/home/cool, shell=/bin/bash, from=/dev/pts/2\",\"predecoder\":{\"program_name\":\"useradd\",\"timestamp\":\"Feb 22 11:12:21\",\"hostname\":\"bllogstash-virtual-machine\"},\"decoder\":{\"parent\":\"useradd\",\"name\":\"useradd\"},\"data\":{\"dstuser\":\"cool\",\"uid\":\"1002\",\"gid\":\"1002\",\"home\":\"/home/cool\",\"shell\":\"/bin/bash,\"},\"location\":\"/var/log/auth.log\"}","agent":{"ephemeral_id":"ca8b925c-0141-42b1-87ba-e5daa218884a","name":"wazuh-virtual-machine","id":"7455124a-f2c5-482a-9ca4-a3e8f26710b8","type":"filebeat","hostname":"wazuh-virtual-machine","version":"7.15.1"},"type":"wazuh_log","host":{"os":{"kernel":"5.19.0-32-generic","platform":"ubuntu","family":"debian","name":"Ubuntu","codename":"jammy","type":"linux","version":"22.04 (Jammy Jellyfish)"},"containerized":false,"name":"wazuh-virtual-machine","mac":["00:0c:29:15:a4:1e"],"ip":["10.x.x.x","fe80::aa26:e157:e495:c628"],"architecture":"x86_64","id":"24ed17383d96472da3dc8e2f251f0333","hostname":"wazuh-virtual-machine"},"@timestamp":"2023-02-22T03:12:22.795Z","tags":["beats_input_codec_plain_applied"],"@version":"1","input":{"type":"log"}}`

Here is my logstash configs-

input {
  beats {
    port => xxx
    type => wazuh_log
  }

output {
if [type] == "wazuh_log" {
    kafka  {
      bootstrap_servers => "10.x.x.x:xxx"
      topic_id => "wazuh"
      codec => "json"
    }
    file  {
      path => "/var/log/syslog/wazuh-%{+YYYY-MM-dd}.log"
    }
  }
}

Can you suggest if I can add any parsing logic or delimiter here ?

The delimiter I added earlier is not helping, hence I removed it -

codec => json_lines {
      delimiter => "\0"
    }

Thanks.

Check the previous answer, you need to add a json filter to parse this message.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.