Filebeat doesn't forward data to logstash

2
votes

I have a setup using elasticsearch, kibana, logstash on one vm machine and filebeat on the slave machine. I managed to send syslog messages and logs from auth.log file following the tutorial from here. In the filebeat log I saw that the messages are published, but when I try to send a json file I don't see any publish event ( I see just Flushing spooler because of timemout. Events flushed: 0). My filebeat.yml file is 

    filebeat:
  prospectors:
    -
      paths:
      #  - /var/log/auth.log
      #  - /var/log/syslog
      #  - /var/log/*.log
        - /home/slave/data_2/*
      input_type: log

      document_type: log

  registry_file: /var/lib/filebeat/registry

output:
  logstash:
    hosts: ["192.168.132.207:5044"]

    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

shipper:

logging:
  level: debug
  to_files: true
  to_syslog: false
  files:
    path: /var/log/mybeat
    name: mybeat.log
    keepfiles: 7
    rotateeverybytes: 10485760 # = 10MB
3
elasticsearchlogstashfilebeat
how did you solve it? - flyOWX

3 Answers

2
votes

PLEASE NOTE that tabs are not allowed in your filebeat.yml!!!! I used notepad++ and view>Show>whitespace and TAB. Sure enough there was a TAB char in a blank line and filebeat wouldn't start. Use filebeat -c filebeat.yml -configtest and it will give you more information.

0
votes

Go in your logstash input for filebeat and comment the tls section!

0
votes

Don't forget to check your log file permissions. If everything is rooted, filebeat won't have read access to it. Set your file group to adm.

sudo chgrp adm /var/log/*.log