General Information

Filebeat is the most efficient way to get logs from files of your system to Logstail.com. Below, there is a general reference and settings for Filebeat. For specific instructions about a log source (such as Apache, Nginx, MySQL), you can see the Log shippers page in your Logstail.com account.

To set up Filebeat you need three things:

1) The public certificate of Logstail.com in your system to send your data encrypted

2)  Configure the YAML file of Filebeat

3) Start or restart the Filebeat service

4) Check Logstail.com for your logs.

Filebeat is relatively easy to configure using a YAML configuration file. On Linux, this file is located at/etc/filebeat/filebeat.yml. Be aware that YAML is syntax sensitive and you cannot use tabs for spacing. Filebeat contains many configuration options, but in most cases, you will only need the very basics. For your convenience, you can refer to the example filebeat.reference.yml configuration file which is located in the same location as the filebeat.yml file, that contains all the different available options. Initially, you need Filebeat 7 or 6 (link from elastic.co)

A)    Configure Filebeat on macOS or Linux

1)    Download the Logstail.com certificate

For encrypted shipping through HTTPS, download the Logstail.com public certificate and place it to the logstail folder created by the -P parameter.

 

1	sudo wget https://raw.githubusercontent.com/logstail/public-certs/master/SectigoRSADomainValidationSecureServerCA.crt -P /etc/certs/logstail/

 

2)    Set up the configuration file

To set up the configuration file use the Filebeat configuration wizard by navigating to the Log shippers page in your Logstail.com account. You must be logged in with your account.

First of all backup your filebeat.yml and create a new one with the following command

mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml_original && sudo nano /etc/filebeat/filebeat.yml

and paste the snippet of the service you want to monitor (Log shippers page).

3)    Start Filebeat

Start or restart Filebeat for the changes to take effect.

1 2	sudo service filebeat start (or) sudo service filebeat restart

 

4)    Check Logstail.com for your logs

Wait a bit for the logs to get from your system to Logstail.com, and then open your Kibana page.

B)    Configure Filebeat on Windows

1)    Download the Logstail.com certificate

For encrypted shipping through HTTPS, download the Logstail.com public certificate from the following URL.

wget https://raw.githubusercontent.com/logstail/public-certs/master/SectigoRSADomainValidationSecureServerCA.crt

The recommended location to save the certificate is shown below. Create this folder

C:\Program Files\Filebeat\certs\logstail\

2)    Set up the configuration file

To set up the configuration file use the Filebeat configuration wizard by navigating to the Log shippers page in your Logstail.com account. You must be logged in with your account.

First of all backup your filebeat.yml and create a new one to this location:

C:\Program Files\Filebeat\filebeat.yml

and paste the snippet of the service you want to monitor (Log shippers page).

3)    Start Filebeat (eg. with Powershell)

Start or restart Filebeat for the changes to take effect.

PS C:\Program Files\Filebeat> Restart-Service filebeat

4) Check Logstail.com for your logs

Wait a bit for the logs to get from your system to Logstail.com, and then open your Kibana page. Now you are ready to explore your data!