Ship logs files from Red Hat Enterprise Linux (RHEL) to Logstash
We need to add the elastic beats repository to YUM
1. Add the rpm verification key
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
2. Add the repo
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo
3. Yum install the Filebeat
sudo yum install filebeat-oss
The filebeat YAML config file should be located at:
/etc/filebeat/filebeat.yml
Open the file and change the following:
1. Line 24: Set the log input to enabled:
# Change to true to enable this input configuration.
enabled: true
2. Line 28: Specify the directory to scan for new logs. For example:
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*
Note: * means any text, so this will pick up any file inside the filebeat_logs folder.
3. Line 143: The elasticsearch output will be enabled/configured by default. Disable this by commenting it out:
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
4. Line 153: Enable the logstash output and the load balancer:
output.logstash:
# The Logstash hosts
hosts: ["your-logstash-host:your-port"]
loadbalance: true
ssl.enabled: true
Start the service (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):
sudo filebeat -e -c /etc/filebeat/filebeat.yml
Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.
You can also start the service without using the filebeat command but this will not
display the activity in the terminal:
sudo service filebeat start
To start the service at boot:
sudo chkconfig --add filebeat