Nothing appearing in kibana dashboard

Question

I have installed

Logstash ElasticSearch Kibana

on an EC2 instance.

I can visit http://example.com:9200 Here I get

{
  "status" : 200,
  "name" : "Aleta Ogord",
  "version" : {
  "number" : "1.1.0",
  "build_hash" : "2181e113dea80b4a9e31e58e9686658a2d46e363",
  "build_timestamp" : "2014-03-25T15:59:51Z",
  "build_snapshot" : false,
  "lucene_version" : "4.7"
},
  "tagline" : "You Know, for Search"
}

So elastic search is working, but when I go to

http://example.com/kibana

I get "No results There were no results because no indices were found that match your selected time span"

I have a config file in

/etc/logstash/conf.d/ that contains the following:-

input {
  file {
  path => "/var/log/apache/access.log"
  type => "apache-access"
 }
}

filter {
  grok {
  type => "apache-access"
  pattern => "%{COMBINEDAPACHELOG}"
 }
}

 output {
 stdout { }

 elasticsearch {
 host => "127.0.0.1"
  }
}

I have checked the logstash log file, and there are no relevent error messages

Please help

Answer 1

I had an issue where I deleted my index in ElasticSearch, then recreated it. After that nothing appeared in Kibana.

The solution: Simply delete the kibana index pattern on the Settings tab, then create it again. Same name same everything, but now it gave me data.

Answer 2

For others that are looking at similar problem here is my experience.

I had a really silly issue when I first got everything setup. I got my index setup and Kibana and was getting 0 hits. I confirmed data was in elasticsearch by going to the following url

http://:9200/_search?pretty=true ip for most people will be localhost I was using docker so it was my boot2docker ip. Checked that the index was set to logstash-Date

However in kibana I didn't realize the date time was set to a day in the past. Increasing the range showed my logs. If your new to ELK like me the date time is in the upper right hand corner in Kibana 4.

Answer 3

What do you see if you go to http://example.com:9200/_aliases?pretty That should show you a list of the indices on the server. This is what the first bit of ours looks like (we have indices split by hour rather than day) ...

{
      "logstash-2014.04.01.18" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.17" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.16" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.15" : {
        "aliases" : { }
      },

Assuming that looks sensible check what you've got configured in Kibana as a index template - default is [logstash-]YYYY.MM.DD. Make sure the one you're using matches what you get back from _aliases.

Given there's nothing shown in the response to _aliases there's a strong implication that Logstash isn't reading the input. When I was first experimenting with Logstash I had

                start_position => "beginning"

in my file stanza. For example ...

    file {
            path => "/var/Log/maillog*"
            type => "mailf"
            charset => "locale"
            start_position => "beginning"
    }

That might help - gets round the problem of Logstash thinking that it's already dealt with the contents of the file. You might also want to enable debug output as suggested at https://stackoverflow.com/questions/19086404/how-to-debug-the-logstash-file-plugin

Answer 4

I had something similar, it sounds like you havent setup ACL's to allow the logstash user to view that log file.

Use setfacl -m u:logstash:r-x /var/log for example, and then test by editing /etc/passwd and giving the logstash user a shell temporarily. Then, su - logstash, and try and cd or cat that file. If it works, then the data should appear in your Kibana setup.