Journalbeat Troubleshooting
Checking the Status of the Starting Service
Run the following commands to make sure that the service has started completely:
# To view the status of service starting.
systemctl status journalbeat
# To view log of service starting to ensure the service is started without issue.
journalctl -u journalbeat
Checking the Configuration of the Installed Journalbeat
The configuration of Journalbeat is stored in the /etc/journalbeat/ directory by default.
vi /etc/journalbeat/journalbeat.yml
Viewing the Journalbeat Logs
For the purpose of testing and debugging, you can view the logs while starting the service:
tail -f /var/log/journalbeat-logs/journalbeat.log
Testing the Journalbeat to Logstash Connection
If you want to test the connection between Journalbeat and Logstash, perform the next steps:
- If you have Journalbeat running as a service, first stop the service.
- Test your setup by running Journalbeat in the foreground. Thus, you can quickly see any errors that occur:
/usr/share/journalbeat/bin/journalbeat -e -v -c journalbeat.yml
- Any errors will be printed to the console.
Issue: X.509 Cannot Validate Certificate <IP address>
Because it Does not Contain any IP SAN
A known issue is that X.509 cannot validate your certificate's <IP address>
because the certificate does not contain any IP SubjectAltName (SAN). This happens because your certificate is only valid for the hostname present in the Subject field.
To solve this problem, try one of these solutions:
- Create a DNS entry for the hostname and map it to the server’s IP.
- Create an entry in /etc/hosts for the hostname.
- Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server certificate valid for both the hostname and the IP address.
Common Errors
Here are some common errors:
- getsockopt: No route to host.
- getsockopt: Connection refused.
- No connection could be made because the target machine actively refused it.
Solutions:
- Make sure the Logstash host is running and can be reached by the host that runs Journalbeat:
ping <hostname or IP>
- Make sure the Logstash listening port is available:
telnet <hostname or IP> <listening port>
- Check if a firewall is blocking the traffic on the client, the network, or the destination host.
- Check if the Logstash service has been started.