Elastic Stack Filebeat - jonatello/lab-musing GitHub Wiki
I need to test for a bug with TLS on version 6.2.4 where beats can't use SSL = https://github.com/logstash-plugins/logstash-input-beats/issues/188
Configure Filebeat
Use curl to download the dashboard
curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
Unzip the archive
unzip beats-dashboards-*.zip
Change directories and run the load.sh script
cd beats-dashboards-*
sh ./load.sh
cd ..
Download the Filebeat Elasticsearch index template
curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json
Upload the template to the filebeat index via curl
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' [email protected]
Configure Filebeat on client (nginx jail)
Install Beats the package
pkg install beats
Configure with filebeat.yml, generally you will want to do the following
- uncomment and set the hosts with an appropriate IP address and port within the Logstash output section
hosts: ["10.0.0.50:5044"]
- specify the log files by commenting the "- /var/log/*.log" line and adding the following
- /var/log/nginx/*.log
- specify the document type by adding the following
document_type: nginx-access
Enable Filebeat via rc.conf
sysrc filebeat_enable=yes
Start Filebeat
service filebeat start
Configure Filebeat on client (apache jail)
Install the Beats package
pkg install beats
Configure with filebeat.yml, generally you will want to do the following
- uncomment and set the hosts with an appropriate IP address and port within the Logstash output section
hosts: ["10.0.0.50:5044"]
- specify the log files by commenting the "- /var/log/*.log" line and adding the following
- /var/log/httpd-access.log
- /var/log/httpd-error.log
- specify the document type by adding the following
document_type: apache-access
Enable Filebeat via rc.conf
sysrc filebeat_enable=yes
Start Filebeat
service filebeat start