Hello,
I have set up a single node ELK machine running the latest 6~ instances for Elasticsearch, Kibana, Logstash and Filebeat. I have been able to configure Winlogbeat on 2x Windows servers and I am receiving the logs with no issue. I have however noticed that on the indexes, the logs are coming in as Winlogbeat & Logstash but I'm unable to determine why it's splitting them up into 2 indices. I was expecting my 5x Centos hosts to be sending logs to the filebeat index but this doesn't come up. I have even added filebeat to the server the ELK stack is sitting on and to no avail.
I have setup a Gray log server as a test and I am able to successfully send logs with these Linux hosts so communication is not an issue. I have checked the logs under /var/logs/filebeat/filebeat and I can't see anything obvious.
My configuration is as follows:
input {
beats {
port => 5044
}
}
filter {
grok {
match => [ "message", "%{COMMONAPACHELOG}" ]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
}
}
Across all the linux hosts, I have added to the Filebeat.yml:
output.logstash:
hosts: ["1XX.1XX.XX.XX:5044"]
I had previously setup a configuration on a VM running the ELK Stack version 5.6 and had no issues sending over Linux logs. But right now I am stumped.
Please let me know if there's anymore information needed to troubleshoot, will post it.