Introduction
The Elastic Stack today is comprised of four components, Elasticsearch, Logstash, Kibana, and Beats. The last one is a family of log shippers for different use cases and Filebeat is the most popular. Filebeat is the most efficient way to get logs from files of your system to Logstail.com. This article is a general reference and settings for Filebeat. For specific instructions about a log source (such as Apache, Nginx, MySQL), you can see the Log shippers page in your Logstail.com account.
General Information
In order to set up Filebeat you need three things:
1) The public certificate of Logstail.com in your system in order to send your data encrypted
2) Configure the YAML file of Filebeat
3) Start or restart the Filebeat service
4) Check Logstail.com for your logs
Configuration
Filebeat is relatively easy to configure using a YAML configuration file. On Linux, this file is located at/etc/filebeat/filebeat.yml. Be aware that YAML is syntax sensitive and you cannot use tabs for spacing. Filebeat contains many configuration options, but in most cases, you will only need the very basics. For your convenience, you can refer to the example filebeat.reference.yml configuration file which is located in the same location as the filebeat.yml file, that contains all the different available options. Initially, you need Filebeat 7 or 6 (link from elastic.co)
A) Configure Filebeat on macOS or Linux
1) Download the Logstail.com certificate
For encrypted shipping through HTTPS, download the Logstail.com public certificate and place it to the logstail folder created by the -P parameter.
1 |
sudo wget https://raw.githubusercontent.com/logstail/public-certs/master/SectigoRSADomainValidationSecureServerCA.crt -P /etc/certs/logstail/ |
2) Set up the configuration file
To set up the configuration file use the Filebeat configuration wizard by navigating to the Log shippers page in your Logstail.com account. You must be logged in with your account.
First of all backup your filebeat.yml and create a new one with the following command
1 |
mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml_original && sudo nano /etc/filebeat/filebeat.yml |
and paste the snippet of the service you want to monitor (Log shippers page).
3) Start Filebeat
Start or restart Filebeat for the changes to take effect.
1 2 |
sudo service filebeat start (or) sudo service filebeat restart |
4) Check Logstail.com for your logs
Wait a bit for the logs to get from your system to Logstail.com, and then open your Kibana page.
B) Configure Filebeat on Windows
1) Download the Logstail.com certificate
For encrypted shipping through HTTPS, download the Logstail.com public certificate from the following URL.
1 |
wget https://raw.githubusercontent.com/logstail/public-certs/master/SectigoRSADomainValidationSecureServerCA.crt |
The recommended location to save the certificate is shown below. Create this folder
1 |
C:\Program Files\Filebeat\certs\logstail\ |
2) Set up the configuration file
To set up the configuration file use the Filebeat configuration wizard by navigating to the Log shippers page in your Logstail.com account. You must be logged in with your account.
First of all backup your filebeat.yml and create a new one to this location:
1 |
C:\Program Files\Filebeat\filebeat.yml |
and paste the snippet of the service you want to monitor (Log shippers page).
3) Start Filebeat (eg. with Powershell)
Start or restart Filebeat for the changes to take effect.
1 |
PS C:\Program Files\Filebeat> Restart-Service filebeat |
4) Check Logstail.com for your logs
Wait a bit for the logs to get from your system to Logstail.com, and then open your Kibana page. Now you are ready to explore your data!
Contact Our Expertsor Sign Up for Free
Conclusion
Filebeat is an efficient, reliable and relatively easy-to-use log shipper. Following the general guidelines of this article, you can take the best out of this software to enhance the productivity of your ELK Stack.