Articles in this section

See more

Troubleshooting Filebeat

Avatar
Joshua Schnitzer
  • Updated
Follow

Filebeat can be installed on various operating systems. This troubleshooting guide is designed for Linux installations of Filebeat but can be adapted to other operating systems. We assume that you have already followed the instructions to configure Filebeat found here

First... wait a few minutes

Wait a few minutes after sending your logs to give us time to index and make them available for search. It normally happens from within seconds to one minute, but sometimes it can take longer.

Check out our status page

If Logz.io isn’t seeing data, check our status page to make sure that we are indexing your data and that all systems are operational. You should see a green, horizontal bar with "All Systems Operational" inside.

Check your Filebeat configuration

Restart Filebeat again to make sure that your recent changes will take effect:  

$ sudo service filebeat restart

If you get an error with your Filebeat.yml file, it could be caused by one of many potential issues. One of the most common issues is indenting with tabs instead of spaces. You can use yamllint to check if your yml file is valid and to clean up extra characters. 

NOTE:  Even if your YML file is valid, this does not necessarily mean that the configuration is correct.

Check the registry file

Filebeat uses a registry file to keep track of the locations of the logs in the files that have already been sent between restarts of filebeat. Make sure that the path to the registry file exists, and check if there are any values within the registry file. You can find the path of your registry file by looking at the filebeat.yml file and searching for the field "registry_file". In our example configuration, it is in the following location:

  registry_file: /var/lib/filebeat/registry

If the registry file does not exist or it only contains empty curly braces "{}", then either Filebeat is not running or it cannot find any logs to process. 

Verify that the path to your logs is correct

Make sure that the path to the logs is correct. Make sure that the log file contains new log lines. If there are no new log lines, either force the system to generate new logs or add manually add some log lines to the log file.

Check that the TLS certificate is in the correct location

Our filebeat endpoint requires TLS encryption, so make sure that you have downloaded the certificate that was mentioned in the Filebeat instructions and that you have placed it in the correct location. To find the location of the certificate, open the filebeat.yml file and search for the field "certificate_authorities". In our example configuration, we recommend the following location:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Check if your server has access to the Logz.io listener

From the actual server on which you are running Filebeat, run the following command to verify that you have proper connectivity:
telnet listener.logz.io 5015

The good outcome: 

Connected to listener-group.logz.io
Escape character is '^]'.

(to get out of that, type Ctrl+] and type "quit")

The bad outcome:

trying xxx.xxx.xxx.xxx....

If you are unable to telnet to liestener.logz.io on port 5015, please adjust your network settings to allow this communication. For a list of all the IP's that are used for listener.logz.io, click here. 

Validate connection established (example):

$ sudo netstat -taupn | grep filebeat
tcp        0      0  172.17.0.2:44912            52.21.71.179:5015            ESTABLISHED 39/filebeat 

If no output is been sent, something is wrong. Check your network connectivity again.

Manually put something in the shipped log file to see if it is sent:

echo hello >> /var/log/my_log_file.log

Enable debugging and check the logs

Follow the below link to enable debugging in Filebeat and check the logs to see if there are any errors.
 
 

Related articles

Comments

2 comments

Sort by Date Votes

Please sign in to leave a comment.