Filebeat client is a lightweight, resource-friendly tool that collects logs from files on the server and forwards these logs to your Logstash instance for processing. Filebeat is designed for reliability and low latency. Filebeat has a light resource footprint on the host machine, and the Beats input plugin minimizes the resource demands on the Logstash instance.
Prerequisite
To get started, go here to download the sample data set used in this example. Unpack the file.
$ wget https://download.elastic.co/demos/logstash/gettingstarted/logstash-tutorial.log.gz
Step 1 – Download your preferred beat. e.g filebeat
Using – https://www.elastic.co/downloads/beats/
Step 2 – Install a filebeat
Using – https://www.elastic.co/downloads/beats/filebeat
$ sudo yum install wget -y
$ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.15.0-linux-x86_64.tar.gz
$ tar -zxvf filebeat-7.15.0-linux-x86_64.tar.gz
Step 3 – Configure a filebeat.yml with a some log file
Open the filebeat.yml file located in your Filebeat installation directory, and replace the contents with the following lines. Make sure paths points to the example Apache log file, logstash-tutorial.log, that you downloaded earlier:
$ vi filebeat-7.15.0-linux-x86_64/filebeat.yml
enabled: true
filebeat.inputs:
- type: log
paths:
- /path/to/file/logstash-tutorial.log
output.logstash:
hosts: ["localhost:5044"]
Step 4 – Start a logbeat
$ cd filebeat-7.2.0-linux-x86_64/
$ sudo chown root filebeat.yml
$ sudo ./filebeat -e -c filebeat.yml -d "publish"To run filebeat as a background process
$ sudo ./filebeat -e -c filebeat.yml -d "publish" &
$ screen -d -m ./filebeat -e -c filebeat.yml -d "publish"Filebeat will attempt to connect on port 5044. Until Logstash starts with an active Beats plugin, there won’t be any answer on that port, so any messages you see regarding failure to connect on that port are normal for now.
Configuration file of filebeats
To delete the Filebeat registry file
For example, run:
$ cd /home/ec2-user/filebeat-7.2.0-linux-x86_64
$ sudo rm -rf data/registry
$ sudo chown root filebeat.yml
$ sudo ./filebeat -e -c filebeat.yml -d "publish"
$ sudo ./filebeat -e -c filebeat.yml -d "publish"
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- Apache Lucene Query Example - April 8, 2024
- Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
- What is Multi-cluster Ingress (MCI) - April 7, 2024
