Plaintext logs with Filebeat
editPlaintext logs with Filebeat
editUse Filebeat to parse and ingest raw, plain-text application logs.
Requirements
- (Optional) Elastic APM agent for your programming language (for log correlation)
- Raw, plain-text application logs stored on the file system
- Filebeat configured to monitor and capture application logs
Pros
- All programming languages/frameworks are supported
- Existing application logs can be ingested
- Does not require modification of the application or its configuration, unless log correlation is required
Cons
- Must parse application logs to be useful—meaning writing and maintaining Grok patterns and spending CPU cycles on parsing
- Parsing is tied to the application log format, meaning it can differ per application and needs to be maintained over time
- Log correlation requires modifying the application log format and inject IDs in log messages
Step 1: Use Filebeat to ingest logs
edit- Follow the Filebeat quick start to learn how to install Filebeat and connect to the Elastic Stack.
- Configure filebeat.yaml file to start collecting log data.
-
Add the following configuration to your
filebeat.yaml
file to start collecting log data.filebeat.yaml.
- Make sure your application logs to stdout/stderr.
- Follow the Run Filebeat on Kubernetes guide.
-
Enable hints-based autodiscover (uncomment the corresponding section in
filebeat-kubernetes.yaml
).
- Make sure your application logs to stdout/stderr.
- Follow the Run Filebeat on Docker guide.
- Enable hints-based autodiscover.
Step 2: Parse logs at ingest time
editA downside of plaintext logs is that you can’t aggregate or search on the fields within the logs. To enable these features, you’ll need to parse the contents of your logs into ECS-compatible fields.
To learn how to use the Grok processor to parse application logs before indexing, see Example: Parse logs in the Common Log Format.
Step 3: Correlate your logs
editCorrelating your application logs with trace events allows you to:
- view the context of a log and the parameters a user provided
- view all logs belonging to a particular trace
- easily move between logs and traces when debugging application issues in Kibana
Learn more about log correlation in the APM Guide: log correlation, or in any of the agent-specific ingestion guides:
Step 4: View your logs in Kibana
editUse the APM or Logs UI to search, filter, and visualize your logs.