Configuration of log shipper 'Filebeat'

This section explains how you can configure 'Filebeat' like a log shipper.

In order for filebeat component to send the log details to the event gateway, users have to configure two elements.

  1. Event Gateway Endpoint

  2. Filebeat configuration

Step 1:

An example of Event Gateway Endpoint configuration is captured in the below configuration snippet

- name: fb1 # URL is implicit, http://ip:port/fb1
  type: filebeat
  stream: filebeat_1_logs
  ssl: true
  enabled: true
  xpack_features: min
    site_code: dataccenter2
    archive_name: filebeat_logs
  port: 9200

An example of Linux-based Filebeat configuration is captured in the below configuration snippet.

Step 2: Update hosts details in /etc/filebeat/filebeat.yml file (using your favorite editor (e.g. vi )

  # Boolean flag to enable or disable the output module.
  enabled: true

  # Array of hosts to connect to.
  # Scheme and port can be left out and will be set to the default (http and 9200)
  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
  hosts: ["http://<event-gateway>:9200/fb1"]
  protocol: "http"
  ssl.enabled: false
  #ssl.verification_mode: none

Step 3: Restart the filebeat service (as shown in the below code snippet).

# Restart filebeat services 
bash# sudo systemctl stop filebeat
bash# sudo systemctl start filebeat

Note: In order to run the above commands, the user is expected to have 'sudo' privileges or run the command as a root to enable the required ports.

Last updated