molu8bits / squid-filebeat-kibana Goto Github PK

Filebeat don't want start (error). it don't want send logfiles

i saw troubeshooting but file "squid-fileds.yml" is missing

I get a "Sorry, there was an error" Saved objects file format is invalid and cannot be imported. Any suggestions?

Hello, I followed all the steps, it shows me the logs of the first day but today I generated the squid logs again and it did not show me the generated ones, it is as if they are not reloaded, any ideas?

Hi there,
Please, could you have a look on your maps dashboard? I setup a new instance but not showing any data as display bellow:

Many thanks.

I have got to the point when you import 01_visualisations_All.json and I received this error.
Import failed
Failed to import 7 of 7 objects. Import failed

Could not locate that index-pattern-field (id: squid.access.squid_request_status) Could not locate that index-pattern-field (id: squid.access.request_url) Could not locate that index-pattern-field (id: squid.access.dst_host) Could not locate that index-pattern-field (id: squid.access.src_ip) Could not locate that index-pattern-field (id: squid.access.http_status_code) Could not locate that index-pattern-field (id: squid.access.http_method) Could not locate that index-pattern-field (id: squid.access.dst_host)

Thanks for the help

I've just installed ELK 7.11 (noob with it). I have squid3 for a while.
I've installed filebeat on my squid server, using the files from this repo.

Everything seems good except geoip. What did I missed ?

Hi there,

I used the module in a test environment, and I think it is well-done. Are you planning to open a PR to elastic/beats?

Kind regards,
Mirko

No matter what I do my location values are not a geo_point

I followed the install instructions without encountering any errors yet the dashboard won't populate with data. Watching "live stream" in the logs shows that data is coming in from squid server through filebeat but we are seeing the following "squid.access.error.message" "Provided Grok expressions do not match field value:". Here is a sample message that we see that error with, but it happens for everything coming in (IP masked for security):

1561001136.756 0 172.XXX.XXX.64 TAG_NONE/400 4437 NONE error:invalid-request - HIER_NONE/- text/html

OS: Centos 7.7
ElasticSearch: 7.3.2-1
Kibana: 7.3.2-1
Filebeat: 7.3.2-1

Please let me know if I need to provide more data.
Thank you,

Should this also support the 10 native fields for the squid native access?
https://wiki.squid-cache.org/Features/LogFormat

Perhaps that would be squid.access.clf. and squid.access.native. for those instead.

being abit of a noob...the following steps are abit confusing:

in this step we configure filebit.yml.....
c.) configure /etc/filebeat/filebeat.yml - reference file placed in /etc/filebeat/filebeat.yml (change hosts ["elasticsearch.local"] in section output.elastichsearch to elastichsarch instance listening from filebeat host

in this step..it says to replace the file we configred....thinking this is a typo....
e.) Replace /etc/filebeat/filebeat.yml with filebeat/etc/fields.yml from repo. (Before run filebeat - Critical !). This file is a compiled version from 7.3 so the rest of functionality will work.