WARNING: Version 5.4 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Configuring Packetbeat to Use Logstash
editConfiguring Packetbeat to Use Logstash
editPrerequisite: To use Logstash as an output, you must also set up Logstash to receive events from Beats.
If you want to use Logstash to perform additional processing on the data collected by Packetbeat, you need to configure Packetbeat to use Logstash.
To do this, you edit the Packetbeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:
#----------------------------- Logstash output -------------------------------- output.logstash: hosts: ["127.0.0.1:5044"]
The hosts
option specifies the Logstash server and the port (5044
) where Logstash is configured to listen for incoming
Beats connections.
For this configuration, you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.
To test your configuration file, change to the directory where the Packetbeat
binary is installed, and run Packetbeat in the foreground with the following
options specified: ./packetbeat -configtest -e
. Make sure your config files are
in the path expected by Packetbeat (see Directory Layout). If you
installed from DEB or RPM packages, run ./packetbeat.sh -configtest -e
.