Apache
Ship Apache access and error logs to logstash
Step 1 - Install Filebeat
Package managers Apt/Yum users can install from official repositories.
deb (Debian/Ubuntu)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-amd64.deb
sudo dpkg -i filebeat-6.0.1-amd64.deb
rpm (Redhat/Centos/Fedora)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-x86_64.rpm
sudo rpm -vi filebeat-6.0.1-x86_64.rpm
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).
Step 2 - Locate the configuration file
deb/rpm /etc/filebeat/filebeat.yml
Step 3 - Configure the prospectors
Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/apache2/access.log
fields:
type: apache-access
fields_under_root: true
encoding: utf-8
exclude_files: [".gz"]
ignore_older: 3h
- type: log
enabled: true
paths:
- /var/log/apache2/error.log
fields:
type: apache-error
fields_under_root: true
encoding: utf-8
exclude_files: [".gz"]
ignore_older: 3h
There's also a full example configuration file called filebeat.full.yml that shows all the possible options.
Step 4 - Configure output
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output
#output.elasticsearch:
# hosts: ["localhost:9200"]
Uncomment and change the logstash output to match below.
output.logstash:
hosts: ["your-logstash-host:your-port"]
loadbalance: true
ssl.enabled: true
Step 5 - Validate configuration
Let's check the configuration file is syntactically correct.
deb/rpm
filebeat -e -c /etc/filebeat/filebeat.yml
Step 6 - Start filebeat
Ok, time to start ingesting data!
deb/rpm
$ sudo service filebeat start