In post Configuring ELK stack to analyse Apache Tomcat logs we configured Logstash to pull data from directory whereas in this post we will configure Filebeat to push data to Logstash. Before configuring, let’s have a brief about why we need Filebeat.
Why Filebeat?
Filebeat helps in decentralization the server where logs are generated from where logs are processed, thus sharing the load from a single machine.
Now, lets’ start with our configuration, following below steps:
Step 1: Download and extract Filebeat in any directory, for me it’s filebeat under directory /Users/ArpitAggarwal/ as follows:
$ mkdir filebeat $ cd filebeat $ wget https://download.elastic.co/beats/filebeat/filebeat-1.0.0-darwin.tgz $ tar -xvzf filebeat-1.0.0-darwin.tgz
Step 2: Replace the filebeat.yml content inside directory /Users/ArpitAggarwal/filebeat/filebeat-1.0.0-darwin/ with below content:
filebeat:
prospectors:
-
paths:
- /Users/ArpitAggarwal/tomcat/logs/*.log*"
input_type: log
document_type: my_log
output:
logstash:
hosts: ["localhost:5000"]
console:
pretty: true
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MBpaths tag specified above is the location from where data is to be pulled. document_type specified above is the type to be published in the ‘type’ field of logstash configuration.
Step 3: Start filebeat as a background process, as follows:
$ cd filebeat/filebeat-1.0.0-darwin $ ./filebeat -c filebeat.yml &
Step 4: Configure Logstash to receive data from filebeat and output it to ElasticSearch running on localhost. To do the same, create a directory where we will create our logstash configuration file, for me it’s logstash created under directory /Users/ArpitAggarwal/ as follows:
$ cd /Users/ArpitAggarwal/ $ mkdir logstash patterns $ cd logstash $ touch logstash.conf $ cd ../patterns $ touch grok-patterns.txt
Copy the below content to logstash.conf:
input {
beats {
type => beats
port => 5000
}
}
filter {
multiline {
patterns_dir => "/Users/ArpitAggarwal/logstash/patterns"
pattern => "\[%{TOMCAT_DATESTAMP}"
what => "previous"
}
if [type] == "my_log" and "com.test.controller.log.LogController" in [message] {
mutate {
add_tag => [ "MY_LOG" ]
}
if "_grokparsefailure" in [tags] {
drop { }
}
date {
match => [ "timestamp", "UNIX_MS" ]
target => "@timestamp"
}
} else {
drop { }
}
}
output {
stdout {
codec => rubydebug
}
if [type] == "my_log" {
elasticsearch {
manage_template => false
hosts => ["localhost:9201"]
}
}
}Next, copy the contents from file https://github.com/elastic/logstash/blob/v1.2.2/patterns/grok-patterns to patterns/grok-patterns.txt
Step 5: Download and extract Logstash in any directory, for me it’s logstash-installation under directory /Users/ArpitAggarwal/, as follows:
$ wget https://download.elastic.co/logstash/logstash/logstash-2.1.0.zip $ unzip logstash-2.1.0.zip
Step 6: Validate logstash configuration file using below command:
$ cd /Users/ArpitAggarwal/logstash-installation/logstash-2.1.0/bin $ ./logstash -f /Users/ArpitAggarwal/logstash/logstash.conf --configtest --verbose —debug
Step 7: Install logstash-input-beats plugin and start Logstash as a background process to push data to ElasticSearch received from Filebeat, as follows:
$ cd /Users/ArpitAggarwal/logstash-installation/logstash-2.1.0/bin $ ./plugin install logstash-input-beats $ ./logstash -f /Users/ArpitAggarwal/logstash/logstash.conf &
| Reference: | Configuring Logstash with Filebeat from our JCG partner Arpit Aggarwal at the Arpit Aggarwal blog. |
Nice Post. Can you add the verification steps on after each configuration. It would be really helpful.