Filebeat 6 configuration in Ubuntu 16

OS             =    Ubuntu 16 64 bit

Elasticsearch Server    =    172.17.20.100:9200

Logstash Server     =    172.17.20.100:5044

Kibana Server        =    172.17.20.100:5601

cd /tmp/

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.1.1-amd64.deb

dpkg -i filebeat-6.1.1-amd64.deb

           

Configure Filebeat

#============= Filebeat prospectors ==============

- type: log

# Change to true to enable this prospector configuration.

 enabled: true

# Paths that should be crawled and fetched. Glob based paths.

 paths:

    - /var/log/*.log

# Optional additional fields. These fields can be freely picked

# to add additional information to the crawled log files for filtering

# fields:

# level: debug

# review: 1

registry_file: /var/lib/filebeat/registry

#========== Elasticsearch template setting ===========

setup.template.settings:

 index.number_of_shards: 3

 #index.codec: best_compression

 #_source.enabled: false

 setup.template.name: "filebeat"

 setup.template.fields: "/etc/filebeat/fields.yml"

 setup.template.overwrite: false

===================== Kibana ===================

setup.kibana:

 # Kibana Host

 # Scheme and port can be left out and will be set to the default (http and 5601)

 # In case you specify and additional path, the scheme is required: http://localhost:5601/path

 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

 host: "172.17.20.100:5601"

#-------------------------- Elasticsearch output ------------------------------

#output.elasticsearch:

 # Array of hosts to connect to.

 hosts: ["172.17.20.100:9200"]

 template.name: filebeat

 template.path: filebeat.template.json

 # Optional protocol and basic auth credentials.

 #protocol: "https"

 #username: "elastic"

 #password: "changeme"

#----------------------------- Logstash output --------------------------------

output.logstash:

 # The Logstash hosts

 hosts: ["172.17.20.100:5044"]

 # Optional SSL. By default is off.

 # List of root certificates for HTTPS server verifications

 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

 # Certificate for SSL client authentication

 #ssl.certificate: "/etc/pki/client/cert.pem"

#==================== Logging ====================

# Sets log level. The default log level is info.

# Available log levels are: critical, error, warning, info, debug

#logging.level: debug

# At debug level, you can selectively enable logging only for some components.

# To enable all selectors use ["*"]. Examples of other selectors are "beat",

# "publish", "service".

#logging.selectors: ["*"]

Restart Filebeat

systemctl restart filebeat

Enable on every boot

systemctl enable filebeat