youtubebeat/vendor/github.com/elastic/beats/libbeat/docs/shared-faq.asciidoc

150 lines
6.8 KiB
Text

//////////////////////////////////////////////////////////////////////////
//// This content is shared by all Elastic Beats. Make sure you keep the
//// descriptions here generic enough to work for all Beats that include
//// this file. When using cross references, make sure that the cross
//// references resolve correctly for any files that include this one.
//// Use the appropriate variables defined in the index.asciidoc file to
//// resolve Beat names: beatname_uc and beatname_lc.
//// Use the following include to pull this content into a doc file:
//// include::../../libbeat/docs/shared-faq.asciidoc[]
//////////////////////////////////////////////////////////////////////////
[float]
[[error-loading-config]]
=== Error loading config file?
You may encounter errors loading the config file on POSIX operating systems if:
* an unauthorized user tries to load the config file, or
* the config file has the wrong permissions.
See {libbeat}/config-file-permissions.html[Config File Ownership and Permissions]
for more about resolving these errors.
[float]
[[error-found-unexpected-character]]
=== Found Unexpected or Unknown Characters?
Either there is a problem with the structure of your config file, or you have
used a path or expression that the YAML parser cannot resolve because the config
file contains characters that aren't properly escaped.
If the YAML file contains paths with spaces or unusual characters, wrap the
paths in single quotation marks (see <<wrap-paths-in-quotes>>).
Also see the general advice under <<yaml-tips>>.
[float]
[[connection-problem]]
=== Logstash connection doesn't work?
You may have configured Logstash or {beatname_uc} incorrectly. To resolve the issue:
* Make sure that Logstash is running and you can connect to it. First, try to ping the Logstash host to verify that you can reach it
from the host running {beatname_uc}. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
[source,shell]
----------------------------------------------------------------------
ping <hostname or IP>
telnet <hostname or IP> 5044
----------------------------------------------------------------------
* Verify that the config file for {beatname_uc} specifies the correct port where Logstash is running.
* Make sure that the Elasticsearch output is commented out in the config file and the Logstash output is uncommented.
* Confirm that the most recent {logstash-ref}/plugins-inputs-beats.html[Beats
input plugin for Logstash] is installed and configured. Note that Beats will not
connect to the Lumberjack input plugin. To learn how to install and update
plugins, see {logstash-ref}/working-with-plugins.html[Working with plugins].
[float]
[[metadata-missing]]
=== @metadata is missing in Logstash?
Logstash outputs remove `@metadata` fields automatically. Therefore, if Logstash instances are chained directly or via some message
queue (for example, Redis or Kafka), the `@metadata` field will not be available in the final Logstash instance.
TIP: To preserve `@metadata` fields, use the Logstash mutate filter with the rename setting to rename the fields to
non-internal fields.
[float]
[[diff-logstash-beats]]
=== Difference between Logstash and Beats?
Beats are lightweight data shippers that you install as agents on your servers to send specific types of operational
data to Elasticsearch. Beats have a small footprint and use fewer system resources than Logstash.
Logstash has a larger footprint, but provides a broad array of input, filter, and output plugins for collecting, enriching,
and transforming data from a variety of sources.
For more information, see the https://www.elastic.co/guide/en/logstash/current/introduction.html[Logstash Introduction] and
the https://www.elastic.co/guide/en/beats/libbeat/current/beats-reference.html[Beats Overview].
[float]
[[ssl-client-fails]]
=== SSL client fails to connect to Logstash?
The host running Logstash might be unreachable or the certificate may not be valid. To resolve your issue:
* Make sure that Logstash is running and you can connect to it. First, try to ping the Logstash host to verify that you can reach it
from the host running {beatname_uc}. Then use either `nc` or `telnet` to make sure that the port is available. For example:
+
[source,shell]
----------------------------------------------------------------------
ping <hostname or IP>
telnet <hostname or IP> 5044
----------------------------------------------------------------------
* Verify that the certificate is valid and that the hostname and IP match.
+
TIP: For testing purposes only, you can set `verification_mode: none` to disable hostname checking.
* Use OpenSSL to test connectivity to the Logstash server and diagnose problems. See the https://www.openssl.org/docs/manmaster/apps/s_client.html[OpenSSL documentation] for more info.
* Make sure that you have enabled SSL (set `ssl => true`) when configuring the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for Logstash].
[float]
==== Common SSL-Related Errors and Resolutions
Here are some common errors and ways to fix them:
* <<cannot-validate-certificate,x509: cannot validate certificate>>
* <<getsockopt-no-route-to-host,getsockopt: no route to host>>
* <<getsockopt-connection-refused,getsockopt: connection refused>>
* <<target-machine-refused-connection,No connection could be made because the target machine actively refused it>>
[float]
[[cannot-validate-certificate]]
===== x509: cannot validate certificate for <IP address> because it doesn't contain any IP SANs
This happens because your certificate is only valid for the hostname present in the Subject field.
To resolve this problem, try one of these solutions:
* Create a DNS entry for the hostname mapping it to the server's IP.
* Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to
`C:\Windows\System32\drivers\etc\hosts`.
* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This make the
server's certificate valid for both the hostname and the IP address.
[float]
[[getsockopt-no-route-to-host]]
===== getsockopt: no route to host
This is not a SSL problem. It's a networking problem. Make sure the two hosts can communicate.
[float]
[[getsockopt-connection-refused]]
===== getsockopt: connection refused
This is not a SSL problem. Make sure that Logstash is running and that there is no firewall blocking the traffic.
[float]
[[target-machine-refused-connection]]
===== No connection could be made because the target machine actively refused it
A firewall is refusing the connection. Check if a firewall is blocking the traffic on the client, the network, or the
destination host.
[float]
[[monitoring-shows-fewer-than-expected-beats]]
=== Monitoring UI shows fewer Beats than expected
If you are running multiple Beat instances on the same host, make sure they each have a distinct `path.data` value.