Apache Logstash Configuration
Ship Apache access and error logs to logstash
Use Filebeat to ship access and error logs from Apache to your Logit.io Stack.
Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 1 - Install Filebeat
- Windows
- Linux
- macOS
- DEB
- RPM
To get started you will need to install filebeat. To do this you have two main options:
- Choose the filebeat ZIP file (Windows ZIP x86_64) or
- Choose the Microsoft Software Installer MSI file (Windows MSI x86_64 (beta))
If you have chosen to download the zip file:
- Extract the contents of the zip file into C:\Program Files.
- Rename the extracted folder to filebeat
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
For more information about Powershell execution policies see here
If you have chosen to download the filebeat.msi file:
- double-click on it and the relevant files will be downloaded.
At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
For more information about Powershell execution policies see here
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (arm64)
You can tell if you have a Linux PC with an AMD / Intel CPU (kernel) architecture by opening a terminal and running the uname -m
command. If it displays x86_64 you have AMD / Intel architecture.
If you have an x86_64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-x86_64.tar.gz
tar xzvf filebeat-8.12.2-linux-x86_64.tar.gz
If you have an arm64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-arm64.tar.gz
tar xzvf filebeat-8.12.2-linux-arm64.tar.gz
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a Mac with an ARM CPU architecture by opening the Terminal application and running the arch
command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-x86_64.tar.gz
tar xzvf filebeat-8.12.2-darwin-x86_64.tar.gz
If you have an aarch64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-aarch64.tar.gz
tar xzvf filebeat-8.12.2-darwin-aarch64.tar.gz
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch
command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb
If you have an aarch64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-arm64.deb
sudo dpkg -i filebeat-8.12.2-arm64.deb
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch
command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-x86_64.rpm
sudo rpm -vi filebeat-8.12.2-x86_64.rpm
If you have an aarch64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-aarch64.rpm
sudo rpm -vi filebeat-8.12.2-aarch64.rpm
Step 2 - Enable the Apache module
- Windows
- Linux
- macOS
- DEB
- RPM
There are several built in filebeat modules you can use. You will need to enable the apache module:
.\filebeat.exe modules list
.\filebeat.exe modules enable apache
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.
Filesets are disabled by default.
Copy the snippet below and replace the contents of the apache.yml module file:
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
There are several built in filebeat modules you can use. You will need to enable the apache module:
sudo filebeat modules list
sudo filebeat modules enable apache
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.
Filesets are disabled by default.
Copy the snippet below and replace the contents of the apache.yml module file:
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
There are several built in filebeat modules you can use. You will need to enable the apache module:
./filebeat modules list
./filebeat modules enable apache
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.
Filesets are disabled by default.
Copy the snippet below and replace the contents of the apache.yml module file:
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
There are several built in filebeat modules you can use. You will need to enable the apache module:
sudo filebeat modules list
sudo filebeat modules enable apache
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.
Filesets are disabled by default.
Copy the snippet below and replace the contents of the apache.yml module file:
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
There are several built in filebeat modules you can use. You will need to enable the apache module:
sudo filebeat modules list
sudo filebeat modules enable apache
In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.
Filesets are disabled by default.
Copy the snippet below and replace the contents of the apache.yml module file:
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-apache.html
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
Step 3 - Update your configuration file
The configuration file below is pre-configured to send data to your Logit.io Stack via Logstash.
Copy the configuration file below and overwrite the contents of filebeat.yml.
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#reload.period: 10s
# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["your-logstash-host:your-ssl-port"]
loadbalance: true
ssl.enabled: true
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
If you’re running Filebeat 7
add this code block to the end. Otherwise, you can leave it out.
# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
If you’re running Filebeat 6
add this code block to the end. Otherwise, you can leave it out.
# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry
Validate your YAML
It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.
Step 4 - Validate configuration
- Windows
- Linux
- macOS
- DEB
- RPM
.\filebeat.exe -e -c filebeat.yml
sudo ./filebeat -e -c filebeat.yml --strict.perms=false
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
sudo ./filebeat -e -c filebeat.yml --strict.perms=false
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
sudo filebeat -e -c /etc/filebeat/filebeat.yml
sudo filebeat -e -c /etc/filebeat/filebeat.yml
Step 5 - Start filebeat
- Windows
- Linux
- macOS
- DEB
- RPM
To start Filebeat, run in Powershell:
Start-Service filebeat
To start Filebeat, run:
sudo chown root filebeat.yml
sudo chown root modules.d/apache.yml
sudo ./filebeat -e
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
To start Filebeat, run:
sudo chown root filebeat.yml
sudo chown root modules.d/apache.yml
sudo ./filebeat -e
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
To start Filebeat, run:
sudo service filebeat start
To start Filebeat, run:
sudo service filebeat start
Step 6 - Module Configuration (Advanced)
Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location
deb/rpm /etc/filebeat/modules.d/apache.yml
mac/win <EXTRACTED_ARCHIVE>/modules.d/apache.yml
- module: apache
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths: ["/custom/path/to/logs"]
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths: ["/custom/path/to/logs"]
Step 7 - Check Logit.io for your logs
Data should now have been sent to your Stack.
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 8 - how to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.
Step 9 - Apache dashboard
The Apache module comes with predefined Kibana dashboards. To view your dashboards for any of your Logit.io stacks, launch Logs and choose Dashboards.
Step 10 - Apache Logging Overview
Apache (also known as Apache HTTP Server) is a popular open-source web server that manages incoming HTTP requests. The first edition of Apache was launched over twenty years ago in 1995 & has grown to power over 40% of websites globally. Just one of the reasons for its widespread adoption is due to its highly flexible and powerful features.
Apache produces access & error logs and as a server that manages HTTP requests, the tool generates a high amount of log data when used to monitor high traffic websites. This can be difficult to efficiently analyse without an Apache log viewer.
The error log is characterised as the most important log data you’ll want to analyse as part of your audits. It contains a wealth of information beyond just errors & can be used for comprehensive diagnostic reporting. Access logs keep track of all access requests that have been sent to your web server and include data such as IP addresses, URLs & response times.
Logit.io provides a complete solution for fast Apache log viewing & analysis. Our platform’s built-in Apache log analyser saves on the need to configure numerous tools for the ingestion of Apache server logs as our hosted ELK Stack takes care of transforming, parsing, alerting, visualising & reporting in one centralised platform.
Followed our configuration file example for Apache and are still encountering issues? We're here to help. Reach out by contacting our team by visiting our dedicated Help Centre or via live chat & we'll be able to get back to you.