Overviewedit

Filebeat is a log data shipper initially based on the Logstash-Forwarder source code. Installed as an agent on your servers, Filebeat monitors the log directories or specific log files, tails the files, and forwards them either to Logstash for parsing or directly to Elasticsearch for indexing.

Here’s how Filebeat works: When you start Filebeat, it starts one or more prospectors that look in the paths you’ve specified for log files. For each log file that the prospector locates, Filebeat starts a harvester. Each harvester reads a single log file for new content and sends the new log data to the spooler, which aggregates the events and sends the aggregated data to the output that you’ve configured for Filebeat.

Beats design

Filebeat is a Beat, and it is based on the libbeat framework. General information about libbeat and setting up Elasticsearch, Logstash, and Kibana are covered in the Beats Platform Reference.