Stream any log file

Required role

The Admin role or higher is required to onboard log data. To learn more, refer to Assign user roles and privileges.

This guide shows you how to send a log file to your Observability project using a standalone Elastic Agent and configure the Elastic Agent and your data streams using the elastic-agent.yml file, and query your logs using the data streams you’ve set up.

The quickest way to get started is using the Monitor hosts with Elastic Agent quickstart. Refer to the quickstart documentation for more information.

To install and configure the Elastic Agent manually, refer to Manually install and configure the standalone Elastic Agent.

Manually install and configure the standalone Elastic Agent

edit

If you’re not using the guided instructions, follow these steps to manually install and configure your the Elastic Agent.

Step 1: Download and extract the Elastic Agent installation package

edit

On your host, download and extract the installation package that corresponds with your system:

Step 2: Install and start the Elastic Agent

edit

After downloading and extracting the installation package, you’re ready to install the Elastic Agent. From the agent directory, run the install command that corresponds with your system:

On macOS, Linux (tar package), and Windows, run the install command to install and start Elastic Agent as a managed service and start the service. The DEB and RPM packages include a service unit for Linux systems with systemd, For these systems, you must enable and start the service.

During installation, you’ll be prompted with some questions:

When asked if you want to install the agent as a service, enter Y.
When asked if you want to enroll the agent in Fleet, enter n.

Step 3: Configure the Elastic Agent

edit

After your agent is installed, configure it by updating the elastic-agent.yml file.

Locate your configuration fileedit

You’ll find the elastic-agent.yml in one of the following locations according to your system:

Update your configuration fileedit

Update the default configuration in the elastic-agent.yml file manually. It should look something like this:

outputs:
  default:
    type: elasticsearch
    hosts: '<your-elasticsearch-endpoint>:<port>'
    api_key: 'your-api-key'
inputs:
  - id: your-log-id
    type: filestream
    streams:
      - id: your-log-stream-id
        data_stream:
          dataset: example
        paths:
          - /var/log/your-logs.log

You need to set the values for the following fields:

Field	Value
`hosts`	Copy the Elasticsearch endpoint from your project’s page and add the port (the default port is `443`). For example, `https://my-deployment.es.us-central1.gcp.cloud.es.io:443`. If you’re following the guided instructions in your project, the Elasticsearch endpoint will be prepopulated in the configuration file. If you need to find your project’s Elasticsearch endpoint outside the guided instructions: Go to the Projects page that lists all your projects. Click Manage next to the project you want to connect to. Click View next to Endpoints. Copy the Elasticsearch endpoint.
`api-key`	Use an API key to grant the agent access to your project. The API key format should be `<id>:<key>`. If you’re following the guided instructions in your project, an API key will be autogenerated and will be prepopulated in the downloadable configuration file. If configuring the Elastic Agent manually, create an API key: Navigate to Project settings → Management → API keys and click Create API key. Select Restrict privileges and add the following JSON to give privileges for ingesting logs. { "standalone_agent": { "cluster": [ "monitor" ], "indices": [ { "names": [ "logs--" ], "privileges": [ "auto_configure", "create_doc" ] } ] } } You must set the API key to configure Beats. Immediately after the API key is generated and while it is still being displayed, click the Encoded button next to the API key and select Beats from the list in the tooltip. Base64 encoded API keys are not currently supported in this configuration.
`inputs.id`	A unique identifier for your input.
`type`	The type of input. For collecting logs, set this to `filestream`.
`streams.id`	A unique identifier for your stream of log data.
`data_stream.dataset`	The name for your dataset data stream. Name this data stream anything that signifies the source of the data. In this configuration, the dataset is set to `example`. The default value is `generic`.
`paths`	The path to your log files. You can also use a pattern like `/var/log/your-logs.log*`.

Restart the Elastic Agentedit

After updating your configuration file, you need to restart the Elastic Agent.

First, stop the Elastic Agent and its related executables using the command that works with your system:

Next, restart the Elastic Agent using the command that works with your system:

Troubleshoot your Elastic Agent configuration

edit

If you’re not seeing your log files in your project, verify the following in the elastic-agent.yml file:

The path to your logs file under paths is correct.
Your API key is in <id>:<key> format. If not, your API key may be in an unsupported format, and you’ll need to create an API key in Beats format.

If you’re still running into issues, refer to Elastic Agent troubleshooting and Configure standalone Elastic Agents.

Next steps

edit

After you have your agent configured and are streaming log data to your project:

Refer to the Parse and organize logs documentation for information on extracting structured fields from your log data, rerouting your logs to different data streams, and filtering and aggregating your log data.
Refer to the Filter and aggregate logs documentation for information on filtering and aggregating your log data to find specific information, gain insight, and monitor your systems more efficiently.

« Get started with system logs Stream application logs »