Step 1 - Install

We need to add the elastic beats repository to YUM

1. Add the rpm verification key

sudo rpm --import

2. Add the repo

echo "[elastic-6.x]
name=Elastic repository for 6.x packages
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

3. Yum install the Filebeat

sudo yum install filebeat-oss
Step 2 - Configuration

The filebeat YAML config file should be located at:


Open the file and change the following:

1. Line 24: Set the log input to enabled:

# Change to true to enable this input configuration.
enabled: true

2. Line 28: Specify the directory to scan for new logs. For example:

# Paths that should be crawled and fetched. Glob based paths.
    - /var/log/*

Note: * means any text, so this will pick up any file inside the filebeat_logs folder.

3. Line 143: The elasticsearch output will be enabled/configured by default. Disable this by commenting it out:

    # Array of hosts to connect to.
    #hosts: ["localhost:9200"]

4. Line 153: Enable the logstash output and the load balancer:

    # The Logstash hosts
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true
Step 3 - Start Logging

Start the service (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):

sudo filebeat -e -c /etc/filebeat/filebeat.yml

Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.

You can also start the service without using the filebeat command but this will not display the activity in the terminal:

sudo service filebeat start

To start the service at boot:

sudo chkconfig --add filebeat

Ready to get going?

Try our 14 day free trial

No commitment and no catches

Create Free Trial