Difference between revisions of "Filebeat"
From DarkWiki
(→Installation on Ubuntu) |
(→Configuration) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
<source lang="bash"> | <source lang="bash"> | ||
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - | ||
| − | |||
sudo apt-get install apt-transport-https | sudo apt-get install apt-transport-https | ||
| − | |||
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list | echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list | ||
| + | sudo apt-get update && sudo apt-get install filebeat | ||
| + | sudo update-rc.d filebeat defaults 95 10 | ||
| + | </source> | ||
| − | + | ==Configuration== | |
| − | + | Stored as <code>/etc/filebeat/filebeat.yml</code> | |
| + | <source lang="yaml"> | ||
| + | filebeat.inputs: | ||
| + | - type: log | ||
| + | enabled: true | ||
| + | paths: | ||
| + | - /var/log/*.log | ||
| + | - type: container | ||
| + | enabled: true | ||
| + | paths: | ||
| + | - "/var/lib/docker/containers/*/*.log" | ||
| + | exclude_files: | ||
| + | - "/var/lib/docker/containers/5498a596deae9e6dee765cef2f4110a545703eff151bbf113e4bb33f40470176/5498a596deae9e6dee765cef2f4110a545703eff151bbf113e4bb33f40470176-json.log" | ||
| + | tags: ["json"] | ||
| + | json.keys_under_root: true | ||
| + | #json.add_error_key: true | ||
| + | #json.message_key: log | ||
| + | filebeat.config.modules: | ||
| + | path: ${path.config}/modules.d/*.yml | ||
| + | reload.enabled: false | ||
| + | setup.template.settings: | ||
| + | index.number_of_shards: 1 | ||
| + | setup.kibana: | ||
| + | output.logstash: | ||
| + | hosts: ["localhost:5044"] | ||
| + | ssl.enabled: true | ||
| + | ssl.verification_mode: none | ||
| + | ssl.certificate: "/etc/filebeat/logstash-beats.crt" | ||
| + | ssl.key: "/etc/filebeat/logstash-beats.key" | ||
| + | processors: | ||
| + | - add_host_metadata: ~ | ||
| + | - add_docker_metadata: | ||
| + | host: "unix:///var/run/docker.sock" | ||
| + | match_fields: ["system.process.cgroup.id"] | ||
| + | match_pids: ["process.pid", "process.ppid"] | ||
| + | match_source: true | ||
| + | match_source_index: 4 | ||
| + | match_short_id: false | ||
| + | cleanup_timeout: 60 | ||
| + | labels.dedot: false | ||
</source> | </source> | ||
Latest revision as of 13:33, 9 September 2019
Installation on Ubuntu
From repositories (see https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install filebeat
sudo update-rc.d filebeat defaults 95 10
Configuration
Stored as /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
- type: container
enabled: true
paths:
- "/var/lib/docker/containers/*/*.log"
exclude_files:
- "/var/lib/docker/containers/5498a596deae9e6dee765cef2f4110a545703eff151bbf113e4bb33f40470176/5498a596deae9e6dee765cef2f4110a545703eff151bbf113e4bb33f40470176-json.log"
tags: ["json"]
json.keys_under_root: true
#json.add_error_key: true
#json.message_key: log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["localhost:5044"]
ssl.enabled: true
ssl.verification_mode: none
ssl.certificate: "/etc/filebeat/logstash-beats.crt"
ssl.key: "/etc/filebeat/logstash-beats.key"
processors:
- add_host_metadata: ~
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
match_fields: ["system.process.cgroup.id"]
match_pids: ["process.pid", "process.ppid"]
match_source: true
match_source_index: 4
match_short_id: false
cleanup_timeout: 60
labels.dedot: false
