I enabled beat input in Graylog, and install packetbeat 6.6.2 64bits in win server
Packetbeat can connect to Graylog’s beat input (verify by packetbeat log in win server)
I can receive packetbeat packets (verify by tcpdump in Graylog server)
but I can not see any packetbeat log in graylog
I also have another ELK server,
I can see packetbeat log after add below setting in logstash config:
index => “%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}”
How do I do it in Graylog, or How do I debug it?
btw, I am facing a error “Limit of total fields [1000] in index [graylog_0] has been exceeded”
Is it the reason?
you found the root of your problem … basically Graylog is not able to add new fields to Elasticsearch because you already have more than 1000 fields in your index.
You can rotate the index manually (System > Indices > ${INDEXNAME} > Maintenance > Rotate) to have a new index where you can ingest the messages.
The other option would be to route messages of Packetbeat into a new index so you run not in the limitations because you ingest multiple sources into one index.
The third option would be to normalize all your ingested messages to reduce the amount of fields you have. But the last is more a future task you can start if you have a deeper understanding of the system.