Configure inputs
editConfigure inputs
editFilebeat modules provide the fastest getting started experience for common log formats. See Quick start: installation and configuration to learn how to get started.
To configure Filebeat manually (instead of using
modules), you specify a list of inputs in the
filebeat.inputs
section of the filebeat.yml
. Inputs specify how
Filebeat locates and processes input data.
The list is a YAML array, so each input begins with
a dash (-
). You can specify multiple inputs, and you can specify the same
input type more than once. For example:
filebeat.inputs: - type: filestream id: my-filestream-id paths: - /var/log/system.log - /var/log/wifi.log - type: filestream id: apache-filestream-id paths: - "/var/log/apache2/*" fields: apache: true fields_under_root: true
For the most basic configuration, define a single input with a single path. For example:
filebeat.inputs: - type: filestream id: my-filestream-id paths: - /var/log/*.log
The input in this example harvests all files in the path /var/log/*.log
, which
means that Filebeat will harvest all files in the directory /var/log/
that end with .log
. All patterns supported by
Go Glob are also supported here.
To fetch all files from a predefined level of subdirectories, use this pattern:
/var/log/*/*.log
. This fetches all .log
files from the subfolders of
/var/log
. It does not fetch log files from the /var/log
folder itself.
Currently it is not possible to recursively fetch all files in all
subdirectories of a directory.
Input types
editYou can configure Filebeat to use the following inputs:
- AWS CloudWatch
- AWS S3
- Azure Event Hub
- Azure Blob Storage
- Benchmark
- CEL
- Cloud Foundry
- CometD
- Container
- Entity Analytics
- ETW
- filestream
- GCP Pub/Sub
- Google Cloud Storage
- HTTP Endpoint
- HTTP JSON
- journald
- Kafka
- Log (deprecated in 7.16.0, use filestream)
- MQTT
- NetFlow
- Office 365 Management Activity API
- Redis
- Salesforce
- Stdin
- Streaming
- Syslog
- TCP
- UDP
- Unified Logs
- Unix
- winlog