Filebeat not running

1,172 views
Skip to first unread message

yari arcopinto

unread,
May 22, 2023, 3:06:58 AM5/22/23
to Wazuh mailing list
Hello to all, 
i have installed wazuh in a docker. 
Right now i have 3 containers:
- Wazuh-manager
- wazuh-indexer
- wazuh-dashboard

Looking to filebeat in wazuh-manager cointaner, i have see that running the command: 
- service filebeat status 
the response is 
- filebeat is not running 

Then i have run:
- filebeat test output
elasticsearch: https://wazuh.indexer:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.20.0.3
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

ess /var/log/filebeat/filebeat.log | grep -i 'WARN\|ERROR' (i have no file filebeat.log)
/var/log/filebeat# ls
filebeat  filebeat.1  filebeat.2  filebeat.3  filebeat.4  filebeat.5  filebeat.6  filebeat.7

- journalctl -u filebeat --no-pager | grep -i 'WARN|ERROR
/var/log/filebeat# journalctl -u filebeat --no-pager | grep -i 'WARN|ERROR'
bash: journalctl: command not found

looking the filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ['https://wazuh.indexer:9200']
  username: '*****'
  password: '*****'

  ssl.verification_mode: 'full'
  ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
  ssl.certificate: '/etc/ssl/filebeat.pem'
  ssl.key: '/etc/ssl/filebeat.key'

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:

    - rseq

Can someone help me with filebeat?

Best regards

mayte...@wazuh.com

unread,
May 22, 2023, 4:27:25 AM5/22/23
to Wazuh mailing list
  Hello Yari Arcopinto,

  Which Wazuh version are you using?

  Could you share with us the output of these commands in order to debug the problem?
  • systemctl status filebeat
  • cat /var/log/filebeat/filebeat
  Please remember to remove any compromising information.

  Keep us updated.

  Best regards,
  Mayte Ariza
Message has been deleted

mayte...@wazuh.com

unread,
May 22, 2023, 5:00:44 AM5/22/23
to Wazuh mailing list
  •   Which Wazuh version are you using?
Are those all the logs that appear from filebeat? There are no logs that explain why the filebeat service is down.

Let's try the following:
  1.    Restart the filebeat service: service filebeat restart
  2.    Wait a few minutes
  3.    Check the Filebeat status: service filebeat status
  4.    If the service is not running, check again the Filebeat logs: cat /var/log/filebeat/filebeat
  Please share with us all the generated logs since the Filebeat restart so we can debug the problem (remember to remove any compromising information).

  Keep us updated.

  Best regards,
  Mayte Ariza

On Monday, May 22, 2023 at 10:40:54 AM UTC+2 yari arcopinto wrote:
Hello, 

thanks for your reply. 

Regarding the first command the result is:

# systemctl status filebeat
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

Regarding the 2nd
2023-05-17T09:32:55.956Z        INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-05-17T09:32:55.957Z        INFO    instance/beat.go:653    Beat ID: 100fedbc-051b-47c8-86ad-0bb7e4e0e3da
2023-05-17T09:32:55.957Z        INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'filebeat-7.10.2' as ILM is enabled.
2023-05-17T09:32:55.958Z        INFO    eslegclient/connection.go:99    elasticsearch url: https://wazuh.indexer:9200
2023-05-17T09:32:55.978Z        INFO    [esclientleg]   eslegclient/connection.go:314   Attempting to connect to Elasticsearch version 7.10.2

Best regards,
Message has been deleted
Message has been deleted

yari arcopinto

unread,
May 22, 2023, 5:33:54 AM5/22/23
to Wazuh mailing list
  •  service filebeat restart

/# service filebeat restart
 * Restarting Filebeat sends log files to Logstash or directly to Elasticsearch. filebeat                                                                                                                                                                                      2023-05-22T11:01:50.295+0200    INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-05-22T11:01:50.303+0200    INFO    instance/beat.go:653    Beat ID: ****
2023-05-22T11:01:50.303+0200    INFO    [beat]  instance/beat.go:981    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "****"}}}
2023-05-22T11:01:50.303+0200    INFO    [beat]  instance/beat.go:990    Build info      {"system_info": {"build": {"commit": "****", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2023-05-22T11:01:50.304+0200    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}}
2023-05-22T11:01:50.304+0200    INFO    [beat]  instance/beat.go:997    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-05-10T13:13:30+02:00","containerized":true,"name":"wazuh.manager","ip":["****"],"kernel_version":"4.15.0-211-generic","mac":["02:42:ac:14:00:02"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"CEST","timezone_offset_sec":7200,"id":"****"}}}
2023-05-22T11:01:50.305+0200    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": ****, "ppid": ****, "seccomp": {"mode":"filter","no_new_privs":false}, "start_time": "2023-05-22T11:01:49.710+0200"}}}
2023-05-22T11:01:50.305+0200    INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.2
2023-05-22T11:01:50.306+0200    INFO    eslegclient/connection.go:99    elasticsearch url: https://wazuh.indexer:9200
2023-05-22T11:01:50.307+0200    INFO    [publisher]     pipeline/module.go:113  Beat name: wazuh.manager
2023-05-22T11:01:50.309+0200    INFO    beater/filebeat.go:117  Enabled modules/filesets: wazuh (alerts, archives),  ()
Config OK

 

  • Got kicked out from the docker container
  • Log again in container where is installed wazuh manager

 

  • service filebeat status

Filebeat is not running

 

  • cat /var/log/filebeat/filebeat

# cat /var/log/filebeat/filebeat
2023-05-22T11:02:20.421+0200    INFO    instance/beat.go:645    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-05-22T11:02:20.421+0200    INFO    instance/beat.go:653    Beat ID: ****
2023-05-22T11:02:20.422+0200    INFO    [seccomp]       seccomp/seccomp.go:124  Syscall filter successfully installed
2023-05-22T11:02:20.422+0200    INFO    [beat]  instance/beat.go:981    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "100fedbc-051b-47c8-86ad-0bb7e4e0e3da"}}}
2023-05-22T11:02:20.422+0200    INFO    [beat]  instance/beat.go:990    Build info      {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2023-05-22T11:02:20.422+0200    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.14.12"}}}
2023-05-22T11:02:20.422+0200    INFO    [beat]  instance/beat.go:997    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-05-10T13:13:30+02:00","containerized":true,"name":"wazuh.manager","ip":["****"],"kernel_version":"4.15.0-211-generic","mac":["02:42:ac:14:00:02"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"CEST","timezone_offset_sec":7200,"id":"*****"}}}
2023-05-22T11:02:20.422+0200    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": ****, "ppid": ****, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2023-05-22T11:02:19.850+0200"}}}
2023-05-22T11:02:20.422+0200    INFO    instance/beat.go:299    Setup Beat: filebeat; Version: 7.10.2
2023-05-22T11:02:20.423+0200    INFO    eslegclient/connection.go:99    elasticsearch url: https://wazuh.indexer:9200
2023-05-22T11:02:20.423+0200    INFO    [publisher]     pipeline/module.go:113  Beat name: wazuh.manager
2023-05-22T11:02:20.426+0200    INFO    beater/filebeat.go:117  Enabled modules/filesets: wazuh (archives, alerts),  ()
2023-05-22T11:02:20.427+0200    INFO    instance/beat.go:455    filebeat start running.
2023-05-22T11:02:20.430+0200    INFO    memlog/store.go:119     Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=****
2023-05-22T11:02:20.634+0200    INFO    memlog/store.go:124     Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=****
2023-05-22T11:02:20.634+0200    INFO    [registrar]     registrar/registrar.go:109      States Loaded from registrar: 1
2023-05-22T11:02:20.634+0200    INFO    [crawler]       beater/crawler.go:71    Loading Inputs: 2
2023-05-22T11:02:20.635+0200    INFO    log/input.go:157        Configured paths: [/var/ossec/logs/alerts/alerts.json]
2023-05-22T11:02:20.635+0200    INFO    [crawler]       beater/crawler.go:141   Starting input (ID: ****)
2023-05-22T11:02:20.635+0200    INFO    log/input.go:157        Configured paths: [/var/ossec/logs/archives/archives.json]
2023-05-22T11:02:20.635+0200    INFO    [crawler]       beater/crawler.go:141   Starting input (ID: ***)
2023-05-22T11:02:20.635+0200    INFO    [crawler]       beater/crawler.go:108   Loading and starting Inputs completed. Enabled inputs: 2
2023-05-22T11:02:20.692+0200    INFO    beater/filebeat.go:515  Stopping filebeat
2023-05-22T11:02:20.692+0200    INFO    beater/crawler.go:148   Stopping Crawler
2023-05-22T11:02:20.692+0200    INFO    beater/crawler.go:158   Stopping 2 inputs
2023-05-22T11:02:20.698+0200    INFO    [crawler]       beater/crawler.go:163   Stopping input: ****
2023-05-22T11:02:20.702+0200    INFO    [crawler]       beater/crawler.go:163   Stopping input: ****
2023-05-22T11:02:20.702+0200    INFO    input/input.go:136      input ticker stopped
2023-05-22T11:02:20.702+0200    INFO    input/input.go:136      input ticker stopped
2023-05-22T11:02:20.708+0200    INFO    beater/crawler.go:178   Crawler stopped
2023-05-22T11:02:20.708+0200    INFO    [registrar]     registrar/registrar.go:132      Stopping Registrar
2023-05-22T11:02:20.708+0200    INFO    [registrar]     registrar/registrar.go:166      Ending Registrar
2023-05-22T11:02:20.708+0200    INFO    [registrar]     registrar/registrar.go:137      Registrar stopped
2023-05-22T11:02:20.717+0200    INFO    instance/beat.go:461    filebeat stopped.

mayte...@wazuh.com

unread,
May 22, 2023, 6:56:07 AM5/22/23
to Wazuh mailing list
Yari Arcopinto, which Wazuh version are you using? What documentation did you follow to install wazuh? Have you performed any customization?

Based on Filebeat logs, I still can't find anything to explain why the Filebeat service is not running. No error log appears.


> Got kicked out from the docker container
Did the container restart?
In order to rule out possible causes, I would try to increase the resources to the container to check if the same error still happens.

Is the Wazuh service running? Only Filebeat fails? Please check it out running the command service wazuh-manager status

Keep us updated.

Best regards,
Mayte Ariza

yari arcopinto

unread,
May 22, 2023, 7:06:51 AM5/22/23
to Wazuh mailing list
Hello:

  1.  I have followed the official documentation of wazuh for install in wazuh with docker. 
  2.  yes , when i launch the command service filebeat restart the container restart too
  3. I have modified the llogal and llogal.json, and the filebeat.yml  setting under archives - enabled: true. But i have also restored it to False. (below the .yml)
/etc/filebeat# cat filebeat.yml


# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false


setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ['https://wazuh.indexer:9200']
  username: '****'

  password: '*****'
  ssl.verification_mode: 'full'
  ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
  ssl.certificate: '/etc/ssl/filebeat.pem'
  ssl.key: '/etc/ssl/filebeat.key'

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
  • running service wazuh-manager status
# service wazuh-manager status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

yari arcopinto

unread,
May 22, 2023, 8:37:07 AM5/22/23
to Wazuh mailing list
Hello, 

Just for let you know. 

I have unistalled all, and reinstalled all following the guide at: https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html

I haven't customized any files.

I have run the command service filebeat status and the result is filebeat is not running.

There is any issue with the repository git clone https://github.com/wazuh/wazuh-docker.git -b v4.4.2 ?

Regards,

mayte...@wazuh.com

unread,
May 22, 2023, 9:33:21 AM5/22/23
to Wazuh mailing list
Hello Yari Arcopinto,

Thank you for the update.

We are not aware of any issues related to this problem.

I will test the deployment on docker (v4.4.2). I will get back to you as soon as possible to provide further feedback.

Best regards,
Mayte Ariza

yari arcopinto

unread,
May 22, 2023, 11:37:12 AM5/22/23
to Wazuh mailing list
Hello, 

Just another Update, i have installed it in the root, without using the docker, and all is working fine


Regards,

mayte...@wazuh.com

unread,
May 23, 2023, 6:48:02 AM5/23/23
to Wazuh mailing list
Hello Yari Arcopinto,

I tested the deployment on docker (v4.4.2)

As you say, when checking the Filebeat service it shows that it is not running. However, if you run the ps aux command, you can verify that the Filebeat process is running:

root@wazuh:/# service filebeat status
 * filebeat is not running
root@wazuh:/# ps aux | grep -i filebeat
root      1258  0.0  0.0    188     4 ?        S    09:46   0:00 s6-supervise filebeat
root      1260  0.0  0.7 1284060 30252 ?       Ssl  09:46   0:00 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

Furthermore, if you check the Wazuh dashboard or Wazuh indexer, you can notice that the alerts are being indexed correctly.

On Docker, it seems that Filebeat does not work in the same way due to constraints regarding services.

If you want to apply changes to the Filebeat configuration file, you must change the file and restart the container. The changes will be persistent since there is a volume for the /etc/filebeat path.

Best regards,
Mayte Ariza
Reply all
Reply to author
Forward
0 new messages