Overview

Filebeat is a log data shipper for local files. Installed as an agent on your servers, Filebeat monitors the log directories or specific log files, tails the files, and forwards them either to Elasticsearch or Logstash for indexing.

Here’s how Filebeat works: When you start Filebeat, it starts one or more prospectors that look in the local paths you’ve specified for log files. For each log file that the prospector locates, Filebeat starts a harvester. Each harvester reads a single log file for new content and sends the new log data to the spooler, which aggregates the events and sends the aggregated data to the output that you’ve configured for Filebeat.

Beats design

For more information about prospectors and harvesters, see How Filebeat Works.

Filebeat is a Beat, and it is based on the libbeat framework. General information about libbeat and setting up Elasticsearch, Logstash, and Kibana are covered in the Beats Platform Reference.