1

Install Filebeat

  Package managers Apt/Yum users can install from official repositories.

deb (Debian/Ubuntu)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-amd64.deb 
sudo dpkg -i filebeat-6.0.1-amd64.deb

rpm (Redhat/Centos/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-x86_64.rpm 
sudo rpm -vi filebeat-6.0.1-x86_64.rpm
  My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).
2

Locate the configuration file

deb/rpm /etc/filebeat/filebeat.yml

3

Configure the prospectors

Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like

filebeat.prospectors:

- type: log
  enabled: true
  paths:
    - /var/log/apache2/access.log
  fields:
    type: apache-access
  fields_under_root: true
  encoding: utf-8
  exclude_files: [".gz"]
  ignore_older: 3h

- type: log
  enabled: true
  paths:
    - /var/log/apache2/error.log
  fields:
    type: apache-error
  fields_under_root: true
  encoding: utf-8
  exclude_files: [".gz"]
  ignore_older: 3h
  There's also a full example configuration file called filebeat.full.yml that shows all the possible options.
4

Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true
5

Validate configuration

Let's check the configuration file is syntactically correct.

deb/rpm

filebeat -e -c /etc/filebeat/filebeat.yml
6

Start filebeat

Ok, time to start ingesting data!

deb/rpm

$ sudo service filebeat start