Skip to main content
Version: 4.5.x LTS

Filebeat Troubleshooting

Checking the Status of the Starting Service

Run the following commands to make sure that the service has started completely:

# To view the status of service starting.
systemctl status filebeat
# To view log of service starting to ensure the service is started without issue.
journalctl -u filebeat

Checking the Configuration of the Installed Filebeat

The configuration of Filebeat is stored in the /etc/filebeat/ directory by default.

vi /etc/filebeat/filebeat.yml

Viewing the Filebeat Logs

For the purpose of testing and debugging, you can view the logs while starting the service:

tail -f /var/log/filebeat-logs/filebeat.log

Testing the Filebeat to Logstash Connection

If you want to test the connection between Filebeat and Logstash, perform the next steps:

  • If you have Filebeat running as a service, first stop the service.
  • Test your setup by running Filebeat in the foreground. Thus, you can quickly see any errors that occur:
/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -e -v
  • Any errors will be printed to the console.

Issue: X.509 Cannot Validate Certificate <IP address> Because it Does not Contain any IP SAN

A known issue is that X.509 cannot validate your certificate's <IP address> because the certificate does not contain any IP SubjectAltName (SAN). This happens because your certificate is only valid for the hostname present in the Subject field.

To solve this problem, try one of these solutions:

  • Create a DNS entry for the hostname and map it to the server’s IP.
  • Create an entry in /etc/hosts for the hostname.
  • Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server certificate valid for both the hostname and the IP address.

Common Errors

Here are some common errors:

  • getsockopt: No route to host.
  • getsockopt: Connection refused.
  • No connection could be made because the target machine actively refused it.

Solutions:

  1. Make sure the Logstash host is running and can be reached by the host that runs Filebeat:
ping <hostname or IP>
  1. Make sure the Logstash listening port is available:
telnet <hostname or IP> <listening port>
  1. Check if a firewall is blocking the traffic on the client, the network, or the destination host.
  2. Check if the Logstash service has been started.