WARNING: Version 6.0 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Frequently asked questions
editFrequently asked questions
editThis section contains frequently asked questions about Filebeat. Also check out the Filebeat discussion forum.
Can’t read log files from network volumes?
editWe do not recommend reading log files from network volumes. Whenever possible, install Filebeat on the host machine and send the log files directly from there. Reading files from network volumes (especially on Windows) can have unexpected side effects. For example, changed file identifiers may result in Filebeat reading a log file from scratch again.
Filebeat isn’t collecting lines from a file?
editFilebeat might be incorrectly configured or unable to send events to the output. To resolve the issue:
- Make sure the config file specifies the correct path to the file that you are collecting. See Step 2: Configure Filebeat for more information.
-
Verify that the file is not older than the value specified by
ignore_older
. ignore_older is disable by default so this depends on the value you have set. You can change this behavior by specifying a different value forignore_older
. -
Make sure that Filebeat is able to send events to the configured output. Run Filebeat in debug mode to determine whether it’s publishing events successfully:
./filebeat -c config.yml -e -d "*"
Too many open file handlers?
editFilebeat keeps the file handler open in case it reaches the end of a file so that it can read new log lines in near real time. If Filebeat is harvesting a large number of files, the number of open files can become an issue. In most environments, the number of files that are actively updated is low. The close_inactive
configuration option should be set accordingly to close files that are no longer active.
There are additional configuration options that you can use to close file handlers, but all of them should be used carefully because they can have side effects. The options are:
The close_renamed
and close_removed
options can be useful on Windows to resolve issues related to file rotation. See Open file handlers cause issues with Windows file rotation?. The close_eof
option can be useful in environments with a large number of files that have only very few entries. The close_timeout
option is useful in environments where closing file handlers is more important than sending all log lines. For more details, see Set up prospectors.
Make sure that you read the documentation for these configuration options before using any of them.
Registry file is too large?
editFilebeat keeps the state of each file and persists the state to disk in the registry_file
. The file state is used to continue file reading at a previous position when Filebeat is restarted. If a large number of new files are produced every day, the registry file might grow to be too large. To reduce the size of the registry file, there are two configuration options available: clean_removed
and clean_inactive
.
For old files that you no longer touch and are ignored (see ignore_older
), we recommended that you use clean_inactive
. If old files get removed from disk, then use the clean_removed
option.
Inode reuse causes Filebeat to skip lines?
editOn Linux file systems, Filebeat uses the inode and device to identify files. When a file is removed from disk, the inode may be assigned to a new file. In use cases involving file rotation, if an old file is removed and a new one is created immediately afterwards, the new file may have the exact same inode as the file that was removed. In this case, Filebeat assumes that the new file is the same as the old and tries to continue reading at the old position, which is not correct.
By default states are never removed from the registry file. To resolve the inode reuse issue, we recommend that you use the clean_*
options, especially clean_inactive
, to remove the state of inactive files. For example, if your files get rotated every 24 hours, and the rotated files are not updated anymore, you can set ignore_older
to 48 hours and clean_inactive
to 72 hours.
You can use clean_removed
for files that are removed from disk. Be aware that clean_removed
cleans the file state from the registry whenever a file cannot be found during a scan. If the file shows up again later, it will be sent again from scratch.
Open file handlers cause issues with Windows file rotation?
editOn Windows, you might have problems renaming or removing files because Filebeat keeps the file handlers open. This can lead to issues with the file rotating system. To avoid this issue, you can use the close_removed
and close_renamed
options together.
When you configure these options, files may be closed before the harvester has finished reading the files. If the file cannot be picked up again by the prospector and the harvester hasn’t finish reading the file, the missing lines will never be sent to the output.
Filebeat is using too much CPU?
editFilebeat might be configured to scan for files too frequently. Check the setting for scan_frequency
in the filebeat.yml
config file. Setting scan_frequency
to less than 1s may cause Filebeat to scan the disk in a tight loop.
Dashboard in Kibana is breaking up data fields incorrectly?
editThe index template might not be loaded correctly. See Step 4: Load the index template in Elasticsearch.
Fields are not indexed or usable in Kibana visualizations?
editIf you have recently performed an operation that loads or parses custom, structured logs, you might need to refresh the index to make the fields available in Kibana. To refresh the index, use the refresh API. For example:
curl -XPOST 'http://localhost:9200/filebeat-2016.08.09/_refresh'
Filebeat isn’t shipping the last line of a file?
editFilebeat uses a newline character to detect the end of an event. If lines are added incrementally to a file that’s being harvested, a newline character is required after the last line, or Filebeat will not read the last line of the file.
Filebeat keeps open file handlers of deleted files for a long time?
editIn the default behaviour, Filebeat opens the files and keeps them open until it reaches the end of them. In situations when the configured output is blocked (e.g. Elasticsearch or Logstash is unavailable) for a long time, this can cause Filebeat to keep file handlers to files that were deleted from the file system in the mean time. As long as Filebeat keeps the deleted files open, the operating system doesn’t free up the space on disk, which can lead to increase disk utilisation or even out of disk situations.
To mitigate this issue, you can set the close_timeout
setting to 5m
. This
will ensure every file handler is closed once every 5 minutes, regardless of
whether it reached EOF or not. Note that this option can lead to data loss if the
file is deleted before Filebeat reaches the end of the file.
Need to limit bandwidth used by Filebeat?
editIf you need to limit bandwidth usage, we recommend that you configure the network stack on your OS to perform bandwidth throttling.
For example, the following Linux commands cap the connection between Filebeat and Logstash by setting a limit of 50 kbps on TCP connections over port 5044:
tc qdisc add dev $DEV root handle 1: htb tc class add dev $DEV parent 1:1 classid 1:10 htb rate 50kbps ceil 50kbps tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10 iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10
Using OS tools to perform bandwidth throttling gives you better control over policies. For example, you can use OS tools to cap bandwidth during the day, but not at night. Or you can leave the bandwidth uncapped, but assign a low priority to the traffic.
Error loading config file?
editYou may encounter errors loading the config file on POSIX operating systems if:
- an unauthorized user tries to load the config file, or
- the config file has the wrong permissions.
See Config File Ownership and Permissions for more about resolving these errors.
Found Unexpected or Unknown Characters?
editEither there is a problem with the structure of your config file, or you have used a path or expression that the YAML parser cannot resolve because the config file contains characters that aren’t properly escaped.
If the YAML file contains paths with spaces or unusual characters, wrap the paths in single quotation marks (see Wrap paths in single quotation marks).
Also see the general advice under YAML tips and gotchas.
Logstash connection doesn’t work?
editYou may have configured Logstash or Filebeat incorrectly. To resolve the issue:
-
Make sure that Logstash is running and you can connect to it. First, try to ping the Logstash host to verify that you can reach it from the host running Filebeat. Then use either
nc
ortelnet
to make sure that the port is available. For example:ping <hostname or IP> telnet <hostname or IP> 5044
- Verify that the config file for Filebeat specifies the correct port where Logstash is running.
- Make sure that the Elasticsearch output is commented out in the config file and the Logstash output is uncommented.
- Confirm that the most recent Beats input plugin for Logstash is installed and configured. Note that Beats will not connect to the Lumberjack input plugin. See Updating the Beats Input Plugin for Logstash.
@metadata is missing in Logstash?
editLogstash outputs remove @metadata
fields automatically. Therefore, if Logstash instances are chained directly or via some message
queue (for example, Redis or Kafka), the @metadata
field will not be available in the final Logstash instance.
To preserve @metadata
fields, use the Logstash mutate filter with the rename setting to rename the fields to
non-internal fields.
Difference between Logstash and Beats?
editBeats are lightweight data shippers that you install as agents on your servers to send specific types of operational data to Elasticsearch. Beats have a small footprint and use fewer system resources than Logstash.
Logstash has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching, and transforming data from a variety of sources.
For more information, see the Logstash Introduction and the Beats Overview.
SSL client fails to connect to Logstash?
editThe host running Logstash might be unreachable or the certificate may not be valid. To resolve your issue:
-
Make sure that Logstash is running and you can connect to it. First, try to ping the Logstash host to verify that you can reach it from the host running Filebeat. Then use either
nc
ortelnet
to make sure that the port is available. For example:ping <hostname or IP> telnet <hostname or IP> 5044
-
Verify that the certificate is valid and that the hostname and IP match.
For testing purposes only, you can set
verification_mode: none
to disable hostname checking. - Use OpenSSL to test connectivity to the Logstash server and diagnose problems. See the OpenSSL documentation for more info.
-
Make sure that you have enabled SSL (set
ssl => true
) when configuring the Beats input plugin for Logstash.
Common SSL-Related Errors and Resolutions
editHere are some common errors and ways to fix them:
x509: cannot validate certificate for <IP address> because it doesn’t contain any IP SANs
editThis happens because your certificate is only valid for the hostname present in the Subject field.
To resolve this problem, try one of these solutions:
- Create a DNS entry for the hostname mapping it to the server’s IP.
-
Create an entry in
/etc/hosts
for the hostname. Or on Windows add an entry toC:\Windows\System32\drivers\etc\hosts
. - Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This make the server’s certificate valid for both the hostname and the IP address.
getsockopt: no route to host
editThis is not a SSL problem. It’s a networking problem. Make sure the two hosts can communicate.
getsockopt: connection refused
editThis is not a SSL problem. Make sure that Logstash is running and that there is no firewall blocking the traffic.
No connection could be made because the target machine actively refused it
editA firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the destination host.