Filebeat is an open source shipping agent that lets you ship logs from local files to one or more destinations, including Logstash.

Install

  Package managers Apt/Yum users can install from official repositories.

deb (Debian/Ubuntu)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-6.4.0-amd64.deb 
sudo dpkg -i filebeat-oss-6.4.0-amd64.deb

rpm (Redhat/Centos/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-6.4.0-x86_64.rpm 
sudo rpm -vi filebeat-oss-6.4.0-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-6.4.0-darwin-x86_64.tar.gz 
tar xzvf filebeat-oss-6.4.0-darwin-x86_64.tar.gz

docker

docker pull docker.elastic.co/beats/filebeat:6.4.0

Windows

  • Download the Filebeat Windows zip file from the official downloads page.

  • Extract the contents of the zip file into C:\Program Files.

  • Rename the filebeat-<version>-windows directory to Filebeat.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.

  • Run the following commands to install Filebeat as a Windows service:

    PS > cd 'C:\Program Files\Filebeat'
    PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1`
    
      If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.
  My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Locate the configuration file

deb/rpm /etc/filebeat/filebeat.yml
mac/win <EXTRACTED_ARCHIVE>/filebeat.yml

Configure the prospectors

Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like

filebeat.prospectors:

- type: log
  enabled: true
  paths:
    - /var/log/nginx/*.log
  fields:
    type: nginx-access
  fields_under_root: true
  encoding: utf-8
  exclude_files: [".gz"]
  ignore_older: 3h
  There's also a full example configuration file called filebeat.full.yml that shows all the possible options.

Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Validate configuration

Let's check the configuration file is syntactically correct.

deb/rpm

filebeat -e -c /etc/filebeat/filebeat.yml

mac/win
Ran from the extracted archive dir

filebeat -e -c filebeat.yml

Start filebeat

Ok, time to start ingesting data!

deb

$ sudo service filebeat start

win

PS C:\Program Files\Filebeat> Start-Service filebeat