-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not Populate Malcolm_beats_* #508
Comments
Hmmm... could we double-check some of your settings? Could you post the results from this command:
If there are any hostnames/IP addresses you want to redact, that's fine, but there won't be anything sensitive in that file. |
During the configuration phase, does not this question appear: Expose Logstash port to external hosts? (y/N): How can I get it so that the malcom beats index populates? |
You didn't answer my question. And we need to establish: what data are you expecting to be in the malcolm_beats index? The data that goes in that index includes:
What data are you expecting to see in the malcolmbeats index that you're not seeing? |
no i'm using malcolm to send data to a remote elasticsearch cluster i already have. i don't have Hedgehog Linux sensor |
That's what I'm saying, there won't be any data in the malcolm_beats index because mostly what that is used for is resource utilization for tracking the sensor. All of the network log data is in the arkime_sessions3* index, the malcolm_beats_* indexes won't have anything in them unless you enable the nginx access and error logs, which is optional only if you need/want them. |
If you would post the contents of your opensearch.env like I asked for, I can get a better idea for what your settings are. |
grep -v '^#' ./config/opensearch.env MALCOLM_NETWORK_INDEX_PATTERN=arkime_sessions3-* logger.level=WARN but not malcolm_beats_* populate |
Thanks. I think maybe without a sensor there's just nothing even enabled to be written into that index. If you want to try something, edit |
thanks for suggestion... i have the logstash conteiner unhelathy.... i see in the log the host is 0.0.0.0:5044... But shouldn't it have as its address the docker address which in my case is 172.18.0.17? in fact the conteiner tries to connect to 172.18017:5044 connection refused |
I don't think the logs internally will show the IP address of the docker network. Once you restart Malcolm, it takes a few minutes for all the pipelines to come up. After a few minutes the connection refused errors should go away. |
thank for suggestio |
I set up elasticsearch as the remote source where to send the data. i set up elasticsearch username and password. i am having problems populating the malcolm_beats_* index and in the logstash logs this message appears [WARN ][logstash.outputs.elasticsearch] Badly formatted index, after interpolation still contains placeholder: [%{[@metadata][malcolm_elasticsearch_index]}]
I cannot understand the error
The text was updated successfully, but these errors were encountered: