Why does filebeat run from CLI but not as a service?

laidig · July 26, 2018, 4:42pm

I have no trouble running filebeat and submitting to my host on the Elastic cloud from the cli as such:

filebeat -c filebeat.yml -e -d "*"

Loglines start whizzing by and show up in Kibana.

But when I start the service, filebeat can connect but is not able to send:

2018-07-26T16:13:02.410Z        INFO    elasticsearch/client.go:690     Connected to Elasticsearch version 6.3.1
2018-07-26T16:13:29.786Z        INFO    [monitoring]    log/log.go:124  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":220,"time
":{"ms":222}},"total":{"ticks":610,"time":{"ms":612},"value":610},"user":{"ticks":390,"time":{"ms":390}}},"info":{"ephemeral_id":"9641237c-bf4c-4bbf-9f9a-cff1698007ae","uptime":{"ms"
:30079}},"memstats":{"gc_next":5344448,"memory_alloc":4303504,"memory_total":26155384,"rss":24276992}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"mod
ule":{"running":0}},"output":{"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":1},"load":{"1":1.1
9,"15":0.69,"5":0.89,"norm":{"1":1.19,"15":0.69,"5":0.89}}}}}}
2018-07-26T16:13:31.073Z        INFO    instance/beat.go:315    filebeat start running.
2018-07-26T16:13:31.073Z        INFO    registrar/registrar.go:117      Loading registrar data from /var/lib/filebeat/registry
2018-07-26T16:13:31.074Z        INFO    registrar/registrar.go:124      States Loaded from registrar: 3
2018-07-26T16:13:31.075Z        INFO    crawler/crawler.go:48   Loading Inputs: 1
2018-07-26T16:13:31.077Z        INFO    log/input.go:118        Configured paths: [/var/log/nginx/*.log]
2018-07-26T16:13:31.077Z        INFO    input/input.go:88       Starting input of type: log; ID: 3774073752292529080
2018-07-26T16:13:31.078Z        INFO    crawler/crawler.go:82   Loading and starting Inputs completed. Enabled inputs: 1
2018-07-26T16:13:31.079Z        INFO    cfgfile/reload.go:122   Config reloader started
2018-07-26T16:13:31.079Z        INFO    log/harvester.go:228    Harvester started for file: /var/log/nginx/access.io.log
2018-07-26T16:13:31.080Z        INFO    cfgfile/reload.go:214   Loading of config files completed.
2018-07-26T16:13:31.083Z        INFO    log/harvester.go:228    Harvester started for file: /var/log/nginx/error.io.log
2018-07-26T16:13:31.674Z        INFO    elasticsearch/client.go:690     Connected to Elasticsearch version 6.3.1
2018-07-26T16:13:31.752Z        INFO    template/load.go:73     Template already exists and will not be overwritten.
2018-07-26T16:13:33.725Z        ERROR   pipeline/output.go:92   Failed to publish events: temporary bulk send failure

What am I missing? Is there any other info I would need to provide to get to a solution?

laidig · July 26, 2018, 6:57pm

After letting Filebeat run in debug mode for a while I found the problem.

My filebeat.yml was loading an error log that wasn't configured via a pipeline. It would get stuck in a loop once it hit that log.

system · August 23, 2018, 6:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.