WARNING: Version 6.2 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configure Filebeat
editStep 2: Configure Filebeat
editFilebeat modules provide the fastest getting started experience for common log formats. See Quick start for common log formats to learn how to get started with modules. If you use Filebeat modules to get started, you can skip the content in this section, including the remaining getting started steps, and go directly to the Quick start for common log formats page.
To configure Filebeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at /etc/filebeat/filebeat.yml
. Under
Docker, it’s located at /usr/share/filebeat/filebeat.yml
. For mac and win,
look in the archive that you just extracted. There’s also a full example
configuration file called filebeat.reference.yml
that shows all non-deprecated
options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
Here is a sample of the filebeat
section of the filebeat.yml
file. Filebeat uses predefined
default values for most configuration options.
filebeat.prospectors: - type: log enabled: true paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\*
To configure Filebeat:
-
Define the path (or paths) to your log files.
For the most basic Filebeat configuration, you can define a single prospector with a single path. For example:
filebeat.prospectors: - type: log enabled: true paths: - /var/log/*.log
The prospector in this example harvests all files in the path
/var/log/*.log
, which means that Filebeat will harvest all files in the directory/var/log/
that end with.log
. All patterns supported by Golang Glob are also supported here.To fetch all files from a predefined level of subdirectories, the following pattern can be used:
/var/log/*/*.log
. This fetches all.log
files from the subfolders of/var/log
. It does not fetch log files from the/var/log
folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory. -
If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Filebeat can find the Elasticsearch installation:
output.elasticsearch: hosts: ["192.168.1.42:9200"]
If you are sending output to Logstash, make sure you configure the Logstash output in Step 3: Configure Filebeat to use Logstash.
-
If you plan to use the sample Kibana dashboards provided with Filebeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
Where
host
is the hostname and port of the machine where Kibana is running, for example,localhost:5601
.If you specify a path after the port number, you need to include the scheme and port:
http://localhost:5601/path
. -
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Filebeat. For example:
output.elasticsearch: hosts: ["myEShost:9200"] username: "elastic" password: "elastic" setup.kibana: host: "mykibanahost:5601" username: "elastic" password: "elastic"
The
username
andpassword
settings for Kibana are optional. If you don’t specify credentials for Kibana, Filebeat uses theusername
andpassword
specified for the Elasticsearch output.If you are planning to set up the Kibana dashboards, the user must have the
kibana_user
built-in role or equivalent privileges.Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.
To test your configuration file, change to the directory where the
Filebeat binary is installed, and run Filebeat in the foreground with
the following options specified: ./filebeat test config -e
. Make sure your
config files are in the path expected by Filebeat (see Directory layout),
or use the -c
flag to specify the path to the config file.
Before starting filebeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Filebeat.