Filebeat system module startup instructions, dashboard name, and time range

[tbragin]

I just tried to start a Filebeat system module on the Mac the first time (5.5 BC6 build) using 5.5 docs: https://www.elastic.co/guide/en/beats/filebeat/5.5/filebeat-module-system.html

A couple of snags:

• We refer to the "syslog" module, whereas the module name is now "syslog"
• More worryingly, in the product itself the Filebeat system dashboard is still called the "syslog" dashboard (cc @monicasarbu ), which is confusing IMO
• Docs don't mention that ingest-geoip plugin in ES is required (the way they do in Apache2), but on startup I got an error when that wasn't installed
• When I tried to run sudo ./filebeat -e -modules=system -setup, I got file ownership errors around -- not sure if this was because I was using the BC or because i'm starting up the module using "sudo":

-> Run {filebeat}$ sudo chown root filebeat.yml 
-> Run {filebeat}$ sudo chown root /module/system/auth/manifest.yml 
-> Run {filebeat}$ sudo chown root /module/system/syslog/manifest.yml 
-> Run {filebeat}$ sudo ./filebeat -e -modules=system -setup

-> Run {filebeat}$ sudo chown root filebeat.yml 
-> Run {filebeat}$ sudo chown root module/apache2/access/manifest.yml 
-> Run {filebeat}$ sudo chown root module/apache2/error/manifest.yml 
-> Run {filebeat}$ sudo ./filebeat -e -modules=apache2 -setup

-> Run {filebeat}$ sudo chown root filebeat.yml 
-> Run {filebeat}$ sudo chown root module/nginx/access/manifest.yml 
-> Run {filebeat}$ sudo chown root module/nginx/error/manifest.yml 
-> Run {filebeat}$ sudo ./filebeat -e -modules=nginx -setup

-> Run {filebeat}$ sudo chown root filebeat.yml 
-> Run {filebeat}$ sudo chown root module/mysql/slowlog/manifest.yml 
-> Run {filebeat}$ sudo chown root module/mysql/error/manifest.yml 
-> Run {filebeat}$ sudo ./filebeat -e -modules=mysql -setup

• Following onto that point, it’s confusing to me why instructions for running modules don’t use “sudo” and instructions for running filebeat w.o modules do -- was that intentional?
  https://www.elastic.co/guide/en/beats/filebeat/5.5/_tutorial.html
  https://www.elastic.co/guide/en/beats/filebeat/5.5/filebeat-starting.html
• I didn't see any data in the Last 15 minutes, so I thought things were broken. Brandon informed me that I may need to change range to Last 24 Hours to see system data, and indeed I see data from now (Tue Jun 27 10:10:27 PDT 2017) recorded as 2017/06/27 17:10:26.884147. This behaviour is different from Metricbdeat, is that expected? If so, should that time range just be saved with the dashboard by default?

[tbragin]

cc @brandonmensing @dedemorton

[dedemorton]

@tbragin For the file permission issue, see this topic:

https://www.elastic.co/guide/en/beats/libbeat/5.5/config-file-permissions.html

I'll need to add a link to that topic from the modules documentation.

[tbragin]

@dedemorton i don't see anything in that page regarding permissions for manifest.yml files. I see the same problem with other modules, e.g. when running sudo ./filebeat -e -modules=mysql I got permission errors around:
module/mysql/slowlog/manifest.yml
module/mysql/error/manifest.yml

[dedemorton]

@tbragin The same issue applies to permissions on the manifest.yml. We just need to update the docs to reflect that.

[tbragin]

@dedemorton Yes, agreed

[tsg]

When I tried to run sudo ./filebeat -e -modules=system -setup, I got file ownership errors around -- not sure if this was because I was using the BC or because i'm starting up the module using "sudo":

This worries me, we keep getting into issues with this. I'm thinking to opt out of the permissions check for the modules manifest.yml file, since they don't contain credentials and we don't reload them on changes. @andrewkroh, WDYT, any risk in that?

I didn't see any data in the Last 15 minutes, so I thought things were broken. Brandon informed me that I may need to change range to Last 24 Hours to see system data, and indeed I see data from now (Tue Jun 27 10:10:27 PDT 2017) recorded as 2017/06/27 17:10:26.884147. This behaviour is different from Metricbdeat, is that expected? If so, should that time range just be saved with the dashboard by default?

Filebeat modules parse the timestamp from the logs and use that in the @timestamp field. I suspect what happened is that you didn't have any logs in the last 15m. That can be confusing when coming from Metribeat, yes. Can we save the Dashboards with "last 24h"? That might make sense for FB modules.

[andrewkroh]

WDYT, any risk in that?

I think disabling the ownership or write permission checks would open the same vector as having the main config file editable by other users. Though we could remove the world-readable checks from config files that won't have secrets in them.

Another option would be to make -strict.perms=false the new default. Then modify the scripts that start Beats as services to enable the checks. I liken this to how ES disables bootstrap checks for non-production mode.

[tsg]

About storing the time with the dashboards, I tried it but that causes the time to be "reseted" every time you switch between dashboards. I think that's annoying, so we're probably better with just leaving the default.