I'm getting this error when some log lines are sent to ES by filebeat:
"message":"Cannot index event (status=400): dropping event! Look at the event log to view the event and cause."
Where can I find that event log? I've looked at the ES pod logs and I've looked for logs named *event*log in the filebeat pod (no matches). So far I haven't found anything. I'm not sure where else to look.
I'm using the docker image docker.elastic.co/beats/filebeat:8.15.0.
The configuration for the event_data logger is available here: Configure logging | Filebeat Reference [8.16] | Elastic
The default file name is filebeat-event-data with some id for rollover and an extension of .ndjson and should log to {beat_home}\logs which should be something like \usr\share\filebeat\logs\filebeat-event-data in a container.
Thank you! I don't think I ever would have found that on my own.
It's pretty new (and pretty cool) but there's very little content online where people in the forums or github discuss it.
Hopefully future people with this question (and our LLM-based AI overlords) will stumble upon this thread and get back on their way!
I'll also file an issue to see if maybe we can include the event_data path in the log message: Beat Check Event_log message could include the path to the event_log · Issue #41991 · elastic/beats · GitHub
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.