Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat module won't start groking unless the default prospectors are turned off #3912

Closed
bohyun-e opened this issue Apr 5, 2017 · 4 comments
Closed

Filebeat module won't start groking unless the default prospectors are turned off #3912

bohyun-e opened this issue Apr 5, 2017 · 4 comments
Labels
bug docs Filebeat Filebeat

Comments

@bohyun-e
Copy link

bohyun-e commented Apr 5, 2017

Using 5.3 on Mac OS X

I did not change any of the contents in filebeat.yml and ran the following command
./filebeat -e modules=system -setup
Even though I was able to see the documents come in from Kibana discover tab, the Grok processes did not kick in because the default prospectors need to be turned off by commenting them out as below.

#- input_type: log
# Paths that should be crawled and fetched. Glob based paths.
#paths:
#- /var/log/*.log

@andrewkroh suspects that this is due to the prospector that is in the default config file monitors /var/log/*.log which probably competes with the system module's prospector.

If the users are running the filebeat module setup command, then we should make sure to disable the default filebeat prospector setting.

cc: @tsg - this was one of the reasons why I did not see the built-in syslog dashboard working.
@bohyun-e bohyun-e added bug Filebeat Filebeat labels Apr 5, 2017
@bohyun-e bohyun-e mentioned this issue Apr 5, 2017
Closed
@tsg tsg added the docs label Apr 5, 2017
@tsg
Copy link
Contributor

tsg commented Apr 5, 2017
edited
Loading

What happens here is that two prospectors are created for the same file. This is not supported by Filebeat, but actually seems to work in my case. Perhaps it didn't work for you or something else was wrong, in any case this is an unsupported situation that's easy to stumble upon.

In 6.0 this will not be an issue, as we plan to change the default configuration to have no prospectors enabled by default.

I think for 5.x we should add a note to the FBM tutorial to disable the default prospector before enabling any modules. @dedemorton What do you think?

tsg pushed a commit to tsg/beats that referenced this issue Apr 5, 2017
Fix the Syslog search in the Dashboards
7502a22 
It used to query `*` and I changed it to query `_exists_:system.syslog`, which
will cause less confusion on the Syslog module dashboard.

Probably it added to the confusion in elastic#3912.
@tsg tsg mentioned this issue Apr 5, 2017
Merged
ruflin pushed a commit that referenced this issue Apr 5, 2017
@tsg @ruflin
Fix the Syslog search in the Dashboards (#3920)
6b8cab6 
It used to query `*` and I changed it to query `_exists_:system.syslog`, which
will cause less confusion on the Syslog module dashboard.

Probably it added to the confusion in #3912.
@dedemorton
Copy link
Contributor

@tsg I can add a note when I make the other changes that Bohyun suggested.

@dedemorton dedemorton mentioned this issue Apr 5, 2017
Merged
@bohyun-e
Copy link
Author

bohyun-e commented Apr 6, 2017

@tsg

I think for 5.x we should add a note to the FBM tutorial to disable the default prospector before enabling any modules

If this does not and will not work for 5.x, then why do we ship with two prospectors enabled in 5.x? Isn't it a better experience (esp. for Filebeat modules) if we comment them out by default so the users don't have to manually edit the file? As you said, once we change this behavior in 6.x, I would imagine it makes sense to enable for both prospectors. Thoughts?

monicasarbu pushed a commit to monicasarbu/beats that referenced this issue Apr 10, 2017
@tsg @monicasarbu
Fix the Syslog search in the Dashboards (elastic#3920)
9b5e91f 
It used to query `*` and I changed it to query `_exists_:system.syslog`, which
will cause less confusion on the Syslog module dashboard.

Probably it added to the confusion in elastic#3912.
(cherry picked from commit 6b8cab6)
@monicasarbu monicasarbu mentioned this issue Apr 10, 2017
Merged
tsg pushed a commit that referenced this issue Apr 11, 2017
@monicasarbu @tsg
Fix the Syslog search in the Dashboards (#3920) (#3966)
9dff0ee 
It used to query `*` and I changed it to query `_exists_:system.syslog`, which
will cause less confusion on the Syslog module dashboard.

Probably it added to the confusion in #3912.
(cherry picked from commit 6b8cab6)
@tsg
Copy link
Contributor

tsg commented May 24, 2017

This is solved in 6.0. For 5.x, we think it's too big of a change to make now, considering that the modules are still in beta, so not really an alternative yet.

@tsg tsg closed this as completed May 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug docs Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tsg @dedemorton @bohyun-e