Comments (3)
Sorry, not quite sure what the exact issue is here, it really should work out-of-the-box. 😕
The output filter/routing for Logstash is in 30-output.conf
, which contains a minimal configuration item:
output {
elasticsearch { hosts => ["localhost"] }
stdout { codec => rubydebug }
}
So implicitly, in the elasticsearch
section, the default values are used for non-specified configuration options (as per https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html), e.g. "logstash-%{+YYYY.MM.dd}"
for index
.
Using the vanilla sebp/elk
image on a clean VM and having Filebeat push logs from an instance of nginx to Logstash's Beat input plugin on port 5044 (see the example in the documentation of the image) produces an entry like this when browsing to a page served by nginx:
{
"_index": "logstash-2016.01.07",
"_type": "nginx-access",
"_id": "AVIdlGrkng6MqhVcdOZ3",
"_score": null,
"_source": {
"message": "XX.XX.XX.XX - - [07/Jan/2016:19:33:19 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" \"-\"",
"@version": "1",
"@timestamp": "2016-01-07T19:33:23.023Z",
"beat": {
"hostname": "ac29184dfcf0",
"name": "ac29184dfcf0"
},
"count": 1,
"fields": null,
"input_type": "log",
"offset": 0,
"source": "/var/log/nginx/access.log",
"type": "nginx-access",
"host": "ac29184dfcf0",
"clientip": "XX.XX.XX.XX",
"ident": "-",
"auth": "-",
"timestamp": "07/Jan/2016:19:33:19 +0000",
"verb": "GET",
"request": "/",
"httpversion": "1.1",
"response": "304",
"bytes": "0",
"agent": "\"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\""
},
"fields": {
"@timestamp": [
1452195203023
]
},
"sort": [
1452195203023
]
}
… which looks fine to me.
Using the piece of configuration you suggested (which I added to 30-output.conf
where it would belong), the same operation creates entries such as this:
{
"_index": "filebeat-2016.01.07",
"_type": "nginx-access",
"_id": "AVIdkPy-3efy8HwjSlbN",
"_score": null,
"_source": {
"message": "XX.XX.XX.XX - - [07/Jan/2016:19:29:31 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" \"-\"",
"@version": "1",
"@timestamp": "2016-01-07T19:29:40.787Z",
"beat": {
"hostname": "86fe311709cb",
"name": "86fe311709cb"
},
"count": 1,
"fields": null,
"input_type": "log",
"offset": 0,
"source": "/var/log/nginx/access.log",
"type": "nginx-access",
"host": "86fe311709cb",
"clientip": "XX.XX.XX.XX",
"ident": "-",
"auth": "-",
"timestamp": "07/Jan/2016:19:29:31 +0000",
"verb": "GET",
"request": "/",
"httpversion": "1.1",
"response": "304",
"bytes": "0",
"agent": "\"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\""
},
"fields": {
"@timestamp": [
1452194980787
]
},
"sort": [
1452194980787
]
}
… so essentially the same thing, except for the _index
field which has a different prefix (default logstash
vs explicitly set filebeat
).
Having said that, there may be something wrong that I'm not seeing or I may be misunderstanding the issue: if so could you please provide steps to reproduce the issue you're having? Cheers.
from elk-docker.
The issue is that if you configure the beat to send directly to elastic search, the information ends up in filebeat-XXXX.XX.XX or topbeat-XXXX.XX.XX indexes. If you send through the logstash beat plugin as configured, the information ends up in the logstash-* index. It seems like it should be the same in either case.
Additionally, the beats project provides a bunch of pre-made dashboards which only work with the information in the XXXbeat-XXXX.XX.XX format.
https://www.elastic.co/guide/en/beats/libbeat/current/getting-started.html#load-kibana-dashboards
from elk-docker.
Right, got it this time. I thought the issue was about the plugin not working rather than about inconsistent behaviours and predefined dashboards not playing properly.
Will update in a sec.
from elk-docker.
Related Issues (20)
- ES_HEAP_SIZE doesn't work anymore HOT 2
- Fix log4j2 CVE-2021-44228 HOT 7
- Two more log4j vulnerabilities: CVE-2021-45046 and CVE-2021-45105 HOT 1
- Please update to 7.16.3 HOT 1
- Can't get Elk started HOT 7
- cannot add login page to kibana HOT 1
- How to use environment variable in 30-output.conf file HOT 2
- ELK fails to start on MAC M1 HOT 8
- Setting up APM question HOT 4
- Question: user authentication for https HOT 1
- Error in Security section HOT 1
- Issues installing on TrueNAS Scale HOT 1
- Update ELK to latest version (currently 8.3.3) HOT 4
- Issues running on AWS Fargate HOT 2
- Add sample docker-compose.yml with persistance + traefik configuration HOT 1
- example using image never starts as elasticsearch doesn't start HOT 1
- Kibana refuses connection, nothing in logs HOT 2
- filebeat x509 certificate signed by unknown authority when calling api endpoint HOT 1
- Kibana enrollement token
- Update ELK to 8.9.0 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elk-docker.