4

I am trying to deploy ELK stack in openshift platform (OKD - v3.11) and using filebeat to automatically detect the logs.

The kibana dashboard is up, elastic & logstash api's are working fine but the filebeat is not sending the data to logstash since I do not see any data polling on the logstash listening on 5044 port.

So I found that from elastic forums that the following iptables command would resolve my issue but no luck,

iptables -A OUTPUT -t mangle -p tcp --dport 5044 -j MARK --set-mark 10

Still nothing is polling on the logstash listener. Please help me if I am missing anything and let me know if you need any more information.

NOTE: The filebeat.yml, logstash.yml & logstash.conf files are working perfectly while deployed in the plain kubernetes.

Bhavani Prasad
  • 1,079
  • 1
  • 9
  • 26

1 Answers1

1

The steps I have followed to debug this issue are:

  1. Check if Kibana is coming up,
  2. Check if Elastic API's are working,
  3. Check if Logstash is accessible from Filebeat.

Everything is working fine in my case. Added log levels in Filebeat.yml and found "Permission Denied" error while filebeat is accessing the docker container logs under "/var/lib/docker/containers//" folder.

Fixed the issue by setting selinux to "Permissive" by running the following command,

sudo setenforce Permissive

After this ELK started to sync the logs.

Bhavani Prasad
  • 1,079
  • 1
  • 9
  • 26