Index exists in ES, Graylog is empty

Goram · December 2, 2019, 2:14pm

Hi,

I docker-compse ES, Graylog and MongoDB via this docu:
https://docs.graylog.org/en/3.1/pages/installation/docker.html (Example Version 3)

I opened Port 9200 on ES to connect with a filebeat, this is the normal OSS download exe for windows. I configured it to watch a test log file and output.elasticsearch to my ES. The index is being build and grows when I watch ES via Postman and add to my test log file.

I configured 2 beat inputs to listen on 1514 and the default 5042, but Graylog stays empty. I changed the search to all messages, but still empty and no received messages through the inputs.

Another question: Why do I need the Beats input, when filebeat pushed to ES and Graylog connects to ES?

I have the feeling I missed something big :o

Goram · December 2, 2019, 2:33pm

Ok, when I call ES with Postman with the query I find under “Search”, I´ll get:

"failures": [
  {
    "shard": 0,
    "index": "filebeat-7.4.2-2019.12.02",
    "node": "RukEOxjbT2OWFmpJuNnWdw",
    "reason": {
      "type": "query_shard_exception",
      "reason": "No mapping found for [timestamp] in order to sort on",
      "index_uuid": "3kH1rykhRfyZgVfDQmvZqg",
      "index": "filebeat-7.4.2-2019.12.02"
    }
  }

How can I fix that?

jan · December 2, 2019, 7:07pm

Graylog is not a drop-in-replacement for Kibana.

If you want to work with Graylog, the messages need to be ingested to Graylog and Graylog will store them in Elasticsearch.

You might want to read some of the docs about architecture and ingest of messages again.

Goram · December 4, 2019, 7:09am

Ah I see, are sidercars mandatory or optional?

Goram · December 4, 2019, 8:57am

Works now, thanks a lot!

macko003 · December 4, 2019, 11:17am

optional.
But you need to send logs to GL, not directly ES.
You can use nxlog, beats, etc without sidecar, it’s just a plus for the center management.

Goram · December 4, 2019, 11:29am

Thanks! Got it now and I´m diving into multiline logs at the moment.

macko003 · December 4, 2019, 11:46am

You have to handle it at the client side, collect it to one line
//GL can’t make connection between multiple messages (ok, alert function can…)

Goram · December 4, 2019, 12:00pm

Ok, good, can you toss me in the right direction to split the message? I guess I should do that with pipelines?

macko003 · December 4, 2019, 12:39pm

extractor or pipelines can help.

system · December 18, 2019, 12:39pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3.1.4 - Containerized \| Elasticsearch-oss 6.8.6 - on host \| Filebeat 6.8.5 - on host Graylog Central (peer support) sidecar , nxlog , filebeat-linux , filebeat-windows , winlogbeat , nodatanx , nosendlogfblx , clfblx	8	2575	March 13, 2020
Inputs are booming, no indexed messages Graylog Central (peer support) sidecar , winlogbeat	17	2035	November 4, 2020
Can someone tell me if I got this right? Graylog Central (peer support) sidecar , filebeat-linux , filebeat-windows , winlogbeat , nosendlogfblx	7	2427	April 21, 2020
Graylog setup not showing logs Graylog Central (peer support) sidecar , filebeat-linux , elastic	23	2149	December 21, 2022
Elasticsearch indexing not done properly through graylog using csv output plugin Graylog Add-ons pipeline-rules , sidecar , filebeat-linux , filebeat-windows	5	1193	January 29, 2018

Index exists in ES, Graylog is empty

Related topics