Why are there no logstash indexes in kibana

1
votes

I set up ELK stack and filebeat with my ELK node as a RedHat server following the digitalocean tutorial. Kibana is up and running, but I dont see any logstash indexes when I go to configure an index pattern as logstash-*:

Unable to fetch mapping. Do you have any indices matching the pattern?

When I do a curl to see the indexes I have, they are only filebeat indexes. Filebeat should be pushing data to logstash which is listening on 5044

$curl 'localhost:9200/_cat/indices?v'
health status index               pri rep docs.count docs.deleted store.size pri.store.size 
yellow open   filebeat-2017.01.10   5   1       3864            0      1.7mb          1.7mb 
yellow open   filebeat-2017.06.17   5   1       1848            0    740.1kb        740.1kb 
yellow open   filebeat-2017.01.18   5   1      77062            0       33mb           33mb 
yellow open   filebeat-2017.09.14   5   1       1932            0      1.1mb          1.1mb 
yellow open   filebeat-2017.01.11   5   1      19094            0      3.6mb          3.6mb 
yellow open   .kibana

You can see I only have filebeat indexes. I checked my ports are open, and My config files are correct according to the tutorial. What could be wrong? Filebeat should be sending logs from /var/log/*.log to logstash, to elasticsearch.

When I 

tail /var/log/logstash/logstash.log

there is nothing in my logstash log. I've checked and logstash, filebeat, kibana, and elasticsearch are all running. Ive also done the config file test and it said it was OK:

$sudo service logstash status
logstash is running

On my ELK node, I can clearly see the port 5044 is listening:

$ netstat -tulpn | grep -i listen | grep -v tcp6
 tcp        0      0 :::5044                     :::*                        LISTEN      -
2
indexinglogstashelastic-stackfilebeat

2 Answers

2
votes

Filebeat creates daily indices using a pattern of filebeat-YYYY.MM.dd so you should not expect to see logstash indices in Elasticsearch.

The Logstash configuration recommended in the Filebeat documentation writes the data to an index based on "%{[@metadata][beat]}-%{+YYYY.MM.dd}" where [@metadata][beat] defaults to the name of the beat (filebeat) unless output.logstash.index is configured in the Filebeat config. Here's the base configuration for Logstash.

input {
  beats {
    port => 5044
  }   
}   

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }   
}

You can inspect the data in those indices to see if it's what you are expected to get from filebeat with a command like:

curl http://localhost:9200/filebeat-*/_search?pretty&size=100

1
votes

Did you define your index in your Kibana, from Management > Index Patterns > Add New?

It's obvious that you won't be able to find the index which you've created using logstash in Kibana, unless you're manually creating it there within the Managemen section of Kibana.

Make sure, that you have the same name of the indice which you created using logstash. Have a look at the doc, which conveys:

When you define an index pattern, indices that match that pattern must exist in Elasticsearch. Those indices must contain data.

which pretty much says that the indice should exist for you to create the index in Kibana. What logstash does is, to only create the indices in Elasticsearch itself, where as you have to manually create them in Kibana in order to access the and visualize the data.

Hope it helps!