Step 3: Configuring Filebeat to Use Logstashedit

Prerequisite: To use Logstash as an output, you must also set up Logstash to receive events from Beats.

If you want to use Logstash to perform additional processing on the data collected by Filebeat, you need to configure Filebeat to use Logstash.

To do this, you edit the Filebeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:

#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["127.0.0.1:5044"]

The hosts option specifies the Logstash server and the port (5044) where Logstash is configured to listen for incoming Beats connections.

For this configuration, you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.

Tip

To test your configuration file, change to the directory where the Filebeat binary is installed, and run Filebeat in the foreground with the following options specified: ./filebeat -configtest -e. Make sure your config files are in the path expected by Filebeat (see Directory Layout). If you installed from DEB or RPM packages, run ./filebeat.sh -configtest -e.