Install Filebeat

deb (Debian/Ubuntu/Mint)

sudo apt-get install apt-transport-https
wget -qO - | sudo apt-key add -
echo 'deb stable main' | sudo tee /etc/apt/sources.list.d/beats.list

sudo apt-get update && sudo apt-get install filebeat-oss

rpm (CentOS/RHEL/Fedora)

sudo rpm --import
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

sudo yum install filebeat-oss

Locate the configuration file

deb/rpm /etc/filebeat/filebeat.yml

Add the rabbitmq log location

Filebeat does not currently have a module to process the rabbitmq application logs.

Therefore we need to add the rabbitmq application log location to the filebeat inputs. Since rabbitmq uses a multi-line log format we will need to configure a seperate log section to handle it.

Add the following to the end of the log input example, before the filebeat.config.modules section.

- type: log
  enabled: true
    - /var/log/rabbitmq/*.log
    type: rabbitmq
  multiline.pattern: ^\=
  multiline.match: before

Configure output

We will be shipping to Logstash so that we have the option to run filters before the data is indexed.

Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Validate configuration

Let's check the configuration file is syntactically correct.


filebeat -e -c /etc/filebeat/filebeat.yml

Start filebeat

Ok, time to start ingesting data!


sudo systemctl enable filebeat
sudo systemctl start filebeat