Red Hat (RHEL)

We need to add the elastic beats repository to YUM

1. Add the rpm verification key

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

2. Add the repo

echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

3. Yum install the Filebeat

sudo yum install filebeat-oss

The filebeat YAML config file should be located at:

/etc/filebeat/filebeat.yml

Open the file and change the following:

1. Line 24: Set the log input to enabled:

# Change to true to enable this input configuration.
enabled: true

2. Line 28: Specify the directory to scan for new logs. For example:

# Paths that should be crawled and fetched. Glob based paths.
paths:
    - /var/log/*

Note: * means any text, so this will pick up any file inside the filebeat_logs folder.

3. Line 143: The elasticsearch output will be enabled/configured by default. Disable this by commenting it out:

#output.elasticsearch:
    # Array of hosts to connect to.
    #hosts: ["localhost:9200"]

4. Line 153: Enable the logstash output and the load balancer:

output.logstash:
    # The Logstash hosts
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Start the service (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):

sudo filebeat -e -c /etc/filebeat/filebeat.yml

Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.

You can also start the service without using the filebeat command but this will not display the activity in the terminal:

sudo service filebeat start

To start the service at boot:

sudo chkconfig --add filebeat