Filebeat Syslog dashboard cannot be loaded if the grok expressions cannot be matched to a pattern. #3913
Comments
bohyun-e
changed the title
|
The Grok error should be fixed by the above PR. I didn't have any other errors when running against your log file. |
tsg
pushed a commit
to tsg/beats
that referenced
this issue
Apr 10, 2017
monicasarbu
pushed a commit
that referenced
this issue
Apr 10, 2017
tsg
added a commit
to tsg/beats
that referenced
this issue
Apr 12, 2017
…stic#3944) Closes elastic#3913. (cherry picked from commit 8487497)
ruflin
pushed a commit
that referenced
this issue
Apr 12, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using 5.3 on Mac OS X
Running the system Filebeat module, all of my syslogs fail to match the expected message pattern. The built-in syslog dashboard does not load as a result of this.
This is the expected pattern:
"patterns": [ """%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\[%{POSINT:system.syslog.pid}\])?: %{GREEDYMULTILINE:system.syslog.message}"""Per @andrewkroh, to reproduce, run the following
POSTrequest:POST _ingest/pipeline/filebeat-5.3.0-system-syslog-pipeline/_simulate { "docs": [ { "_source": { "message": "Apr 4 03:39:57 --- last message repeated 1 time ---" } } ] }From the built-in dashboard, there are absolutely no errors exposed and the user does not immediately know why the Filebeat module is not working. Just by glimpsing at Discover tab in Kibana, it seems like everything is working but combined with the issue #3912, the user does not get any warnings or error messages exposed from Kibana dashboard or from the Filebeat logs (the logs report no errors)
cc: @tsg
The text was updated successfully, but these errors were encountered: