How to see if filebeat data is being sent to logstash

Question

When I open up Kibana interface, I get an error to configure index when logstash-* is entered as a query:

kibana error: please specify a default index pattern

How can I see if filebeat is sending logs to logstash? I followed the filebeat and ELK stack tutorials exactly. I can see data when I enter in filebeat-* into Kibana, but nothing when I enter in logstash-* into Kibana.

If you post the actual error message, someone might be able to help you with that. — Alain Collins, Jan 18 '17 at 02:06

score 1 · Answer 1 · answered Jan 18 '17 at 19:08

If you followed the official Filebeat getting started guide and are routing data from Filebeat -> Logstash -> Elasticearch, then the data produced by Filebeat is supposed to be contained in a filebeat-YYYY.MM.dd index. It uses the filebeat-* index instead of the logstash-* index so that it can use its own index template and have exclusive control over the data in that index.

So in Kibana you should configure a time based index pattern based on the filebeat-* index pattern instead of logstash-*. Alternatively you could run the import_dashboards script provided with Filebeat and it will install an index pattern into Kibana for you. The path to the import_dashboards script may vary based on how you installed Filebeat. This is for Linux when installed via RPM or deb.

/usr/share/filebeat/scripts/import_dashboards -es http://localhost:9200

You can check if data is contained in a filebeat-YYYY.MM.dd index in Elasticsearch using a curl command that will print the event count.

curl http://localhost:9200/filebeat-*/_count?pretty

And you can check the Filebeat logs for errors if you have no events in Elasticsearch. The logs are located at /var/log/filebeat/filebeat by default on Linux. You can increase verbosity by setting logging.level: debug in your config file.

score 0 · Answer 2 · answered Apr 21 '20 at 06:50

0

If Filebeat is installed using RPM or DEB packages:

Logs are stored by default in journald. To view the Logs, use journalctl:

journalctl -u filebeat.service

More information is available at Filebeat Logs

answered Apr 21 '20 at 06:50

Divyarajsinh Jadeja

1
1

score 0 · Answer 3 · answered May 28 '21 at 14:13

0

You can also check file inside folder

/etc/log/filebeat/

maybe with

tail -f filebeat

answered May 28 '21 at 14:13

Xfox

1
1

score 0 · Answer 4 · answered Jan 18 '17 at 02:06

0

Filebeat keeps information on what it has sent to logstash. Check ~/.filebeat (for the user who runs filebeat).

You can also crank up debugging in filebeat, which will show you when information is being sent to logstash.

EDIT: based on the new information, note that you need to tell filebeat what indexes it should use. Go to the Settings tab and configure an Index Pattern there. Here's the doc.

answered Jan 18 '17 at 02:06

Alain Collins

101
1

Thanks Alain. How do I "crank up debugging" in filebeat? – Celi Manu Jan 18 '17 at 02:14
Looks like '-v'. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-command-line.html – Alain Collins Jan 18 '17 at 02:42

How to see if filebeat data is being sent to logstash

4 Answers4