Install Filebeat

  Package managers Apt/Yum users can install from official repositories.

deb (Debian/Ubuntu)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-amd64.deb 
sudo dpkg -i filebeat-6.0.1-amd64.deb

rpm (Redhat/Centos/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-x86_64.rpm 
sudo rpm -vi filebeat-6.0.1-x86_64.rpm
  My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Locate the configuration file

deb/rpm /etc/filebeat/filebeat.yml

Configure the prospectors

Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like

filebeat.prospectors:

- type: log
  enabled: true
  paths:
    - /var/log/apache2/access.log
  fields:
    type: apache-access
  fields_under_root: true
  encoding: utf-8
  exclude_files: [".gz"]
  ignore_older: 3h

- type: log
  enabled: true
  paths:
    - /var/log/apache2/error.log
  fields:
    type: apache-error
  fields_under_root: true
  encoding: utf-8
  exclude_files: [".gz"]
  ignore_older: 3h
  There's also a full example configuration file called filebeat.full.yml that shows all the possible options.

Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Validate configuration

Let's check the configuration file is syntactically correct.

deb/rpm

filebeat -e -c /etc/filebeat/filebeat.yml

Start filebeat

Ok, time to start ingesting data!

deb/rpm

$ sudo service filebeat start