CentOS 7
Sponsored Link

Elastic Stack 5 : Install Filebeat
2017/05/11
 
Install Filebeat that easily ships log file data to Elasticsearch or Logstash.
[1] Install Filebeat. Configure Elasticsearch repository before it.
[root@dlp ~]#
yum -y install filebeat
[2] Configure basic settings and start Filebeat.
[root@dlp ~]#
vi /etc/filebeat/filebeat.yml
# line 18: set items

# by default, /var/log/*.log files are shiped

- input_type: log

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines thh
at are
  # matching any regular expression from the list.
  #exclude_lines: ["^DBG"]

  # Include lines. A list of regular expressions to match. It exports the lines
that are
  # matching any regular expression from the list.
  #include_lines: ["^ERR", "^WARN"]

  # Exclude files. A list of regular expressions to match. Filebeat drops the fii
les that
  # are matching any regular expression from the list. By default, no files are
dropped.
  #exclude_files: [".gz$"]

.....
.....
# line 81: specify output destination

# by default, it set to Elasticsearch on localhost

# if output to Logstash, comment out there lines and uncomment the line 91,93

output.elasticsearch:
  # Array of hosts to connect to.l
  hosts: ["localhost:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
[root@dlp ~]#
systemctl start filebeat

[root@dlp ~]#
systemctl enable filebeat
[3] Make sure the data has been collected normally.
# index list

[root@dlp ~]#
curl localhost:9200/_cat/indices?v 

health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   metricbeat-2017.05.12 YvHWPjbgS12e_oU5Ddi3rA   5   1     226783            0     57.5mb         57.5mb
yellow open   packetbeat-2017.05.12 ZzVaYEjYSNyRGMIHNEaVnw   5   1       2517            0        1mb            1mb
yellow open   filebeat-2017.05.12   P6KJJIBDTcK4m4OzYT1lbA   5   1        399            0    131.7kb        131.7kb
yellow open   sshd_fail-2017.05     owhoRGiwTWGdZaqKAMw66g   5   1         81            0    219.6kb        219.6kb
yellow open   .kibana               FGjE6bGUTlioELtM_QynMQ   1   1        213           19    306.1kb        306.1kb
# document list on the index

[root@dlp ~]#
curl localhost:9200/filebeat-2017.05.12/_search?pretty 

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 399,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "filebeat-2017.05.12",
        "_type" : "log",
.....
.....
[4] If Kibana is running, it's possible to use import script to Dashboard.
[root@dlp ~]#
/usr/share/filebeat/scripts/import_dashboards -only-index

Create temporary directory /tmp/tmp315877661
Downloading https://artifacts.elastic.co/downloads/beats/beats-dashboards/beats-dashboards-5.4.0.zip
Unzip archive /tmp/tmp315877661
Importing Kibana from /tmp/tmp315877661/beats-dashboards-5.4.0/filebeat
Import directory /tmp/tmp315877661/beats-dashboards-5.4.0/filebeat/index-pattern
.....
.....
 
Tweet