Send data via Ubuntu to your Logstash instance provided by


Ship system log files from Ubuntu to Logstash

Configure Filebeat to ship logs from Ubuntu Systems to Logstash and Elasticsearch.

Step 1 - Install Filebeat

We recommend using Filebeat to upload logs locally from Ubuntu to Logstash.

sudo apt-get install apt-transport-https
wget -qO - | sudo apt-key add -
echo 'deb stable main' | sudo tee /etc/apt/sources.list.d/beats.list

sudo apt-get update && sudo apt-get install filebeat

Step 2 - Locate configuration file


Step 3 - Enable system module

There are several built in filebeat modules you can use. To enable the system module run.

sudo filebeat modules list
sudo filebeat modules enable system

Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location

deb /etc/filebeat/modules.d/

Step 4 - Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - (Optional) Update logstash filters

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add system specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "system" {
  if [fileset][name] == "auth" {
    grok {
      match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{}, GID=%{NUMBER:system.auth.groupadd.gid}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
      pattern_definitions => {
        "GREEDYMULTILINE"=> "(.|\n)*"
      remove_field => "message"
    date {
      match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    geoip {
      source => "[system][auth][ssh][ip]"
      target => "[system][auth][ssh][geoip]"
  else if [fileset][name] == "syslog" {
    grok {
      match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
      pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
      remove_field => "message"
    date {
      match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]

Step 6 - Validate configuration

Let's check the configuration file is syntactically correct. Run from the extracted archive directory.

sudo filebeat -e -c filebeat.yml

Step 7 - Start filebeat

Ok, time to start ingesting data!

sudo systemctl enable filebeat
sudo systemctl start filebeat

Step 8 - Ubuntu Logs Overview

Ubuntu is an open-source Debian-based operating system. Ubuntu is known for being more user friendly for non-developers than the comparable Unix & Linux operating systems due to its graphical user interface, it is also known for its high level of customizations supported in comparison to Unix & Linux.

Event log data for Ubuntu captures event messages from the Linux kernel, server logs, and applications. This data holds key insights into performance issues affecting your devices. As well as event Logs, Ubuntu supports service logs, application Logs & system Logs.

Our Ubuntu log analyser enables you to compile & monitor all four types of Ubuntu log data across hundreds of systems, allowing you to quickly identify errors and event security issues across your systems and applications. These can range from identifying ransomware & malware all the way through to optimising your overall IT operations.

If you need any further assistance with migrating your data from Ubuntu to Logstash & Elasticsearch we're here to help you get started. Feel free to reach out by contacting our support team by visiting ourdedicated Help Centre or via live chat & we'll be happy to assist.

expand view

Expand View

compact view

Compact View

Return to Search
Sign Up