Ship Apache access and error logs to logstash
deb (Debian/Ubuntu)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-amd64.deb
sudo dpkg -i filebeat-6.0.1-amd64.deb
rpm (Redhat/Centos/Fedora)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-x86_64.rpm
sudo rpm -vi filebeat-6.0.1-x86_64.rpm
deb/rpm /etc/filebeat/filebeat.yml
Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/apache2/access.log
fields:
type: apache-access
fields_under_root: true
encoding: utf-8
exclude_files: [".gz"]
ignore_older: 3h
- type: log
enabled: true
paths:
- /var/log/apache2/error.log
fields:
type: apache-error
fields_under_root: true
encoding: utf-8
exclude_files: [".gz"]
ignore_older: 3h
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output
#output.elasticsearch:
# hosts: ["localhost:9200"]
Uncomment and change the logstash output to match below.
output.logstash:
hosts: ["your-logstash-host:your-port"]
loadbalance: true
ssl.enabled: true
Let's check the configuration file is syntactically correct.
deb/rpm
filebeat -e -c /etc/filebeat/filebeat.yml
Ok, time to start ingesting data!
deb/rpm
$ sudo service filebeat start