Start your 14-day free trial today & Get 20% Off All Annual Managed ELK Plans

No Credit Card Required

Try Free

Already have an account? Sign In

Send data via HAProxy to your Logstash instance provided by


Ship logs from HAProxy to logstash

Configure Filebeat to ship logs from HAProxy to Logstash and Elasticsearch.

Step 1 - Install FilebeatCopy

deb (Debian/Ubuntu/Mint)

curl -L -O
sudo dpkg -i -oss-7.8.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O
sudo rpm -vi -oss-7.8.1-x86_64.rpm


curl -L -O
tar xzvf -oss-7.8.1-darwin-x86_64.tar.gz


  • Download the Windows zip file from the official downloads page.
  • Extract the contents of the zip file into C:\Program Files.
  • Rename the -<version>-windows directory to ``.
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  • Run the following commands to install as a Windows service:
cd 'C:\Program Files\'
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-.ps1.
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Setup HAProxy ConfigurationCopy

deb (Debian/Ubuntu)

HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat. Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.

rpm (Centos/RHEL)

The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat. Run the following lines of command and then restart rsyslog.

echo '#Rsyslog configuration to listen on localhost for HAProxy log messages 
#and write them to /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514
local2.*    /var/log/haproxy.log' | sudo tee /etc/rsyslog.d/haproxy.conf

sudo systemctl restart rsyslog

Step 3 - Enable the Haproxy moduleCopy

There are several built in filebeat modules you can use. You will need to enable the haproxy module.


sudo filebeat modules list
sudo filebeat modules enable haproxy


./filebeat modules list
./filebeat modules enable haproxy


.\filebeat.exe modules list
.\filebeat.exe modules enable haproxy

Additional module configuration can be done using the per module config files located in the modules.d folder, for haproxy we want to configure the haproxy module to read from file, uncomment and edit the var.input line to say

var.input: file

deb/rpm /etc/filebeat/modules.d/haproxy.yml mac/win <EXTRACTED_ARCHIVE>/modules.d/haproxy.yml

Step 4 - Confirm the LoggingCopy

Confirm the haproxy log file contains entries to process.

tail /var/log/haproxy.log

Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.

Step 5 - Locate Configuration FileCopy

deb/rpm /etc/filebeat/filebeat.yml mac/win <EXTRACTED_ARCHIVE>/filebeat.yml

Step 6 - Configure OutputCopy

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]
No input available! Your stack is missing the required input for this data source Talk to support to add the input

Step 7 - Validate configurationCopy

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.


sudo  -e -c /etc//.yml


./ -e -c .yml


.\.exe -e -c .yml

Step 8 - Start filebeatCopy

Ok, time to start ingesting data!


sudo systemctl enable filebeat
Ok, time to start ingesting data!
sudo systemctl start filebeat




Start-Service filebeat

Step 9 - HAproxy Logs OverviewCopy

HAProxy (High Availability Proxy) is an open-source software load balancer for proxying HTTP & TCP based applications. As the tool offers high availability by default it is well suited for high traffic websites.

HAProxy is the de-facto proxy server powering many of the web’s most popular sites & is often the default deployment in most cloud platforms. For most Linux distributions it is the reference load-balancer recommended for container orchestration (E.G Kubernetes).

HAProxy logs hold data on HTTP queries, error codes & how long the request took to send, if it was queued and how long for, how long the TCP connection took to establish, as well as information on response size and cookies, among other valuable insights for reporting & security. These logs can be difficult to process for analysis at scale & so a log analyser will likely be required to process HAProxy logs efficiently.

Requests & traffic for HTTP & TCP based applications are spread across multiple servers when HAProxy is used. The proxy is well known for its flexibility & the tool’s logs can be used in a log management solution such as for easy identification of critical issues within an application.

The platform offers a complete solution for centralising your log files from multiple applications and servers and provides a HAProxy log analyser as standard. You can also use our Kibana integrations to visualise key server metrics from both frontend and backend applications for fast error resolution & troubleshooting.

Followed our HAProxy log configuration guide and are still encountering issues? We're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.

Toggle View

Expand View

Return to Search