Filebeat modules provide the fastest getting started experience for common log formats. See Quick Start for Common Log Formats to learn how to get started with modules. If you use Filebeat modules to get started, you can skip the content in this section, including the remaining getting started steps, and go directly to the Quick Start for Common Log Formats page.
To configure Filebeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at
Docker, it’s located at
/usr/share/filebeat/filebeat.yml. For mac and win,
look in the archive that you just extracted. There’s also a full example
configuration file called
filebeat.full.yml that shows all non-deprecated
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
Here is a sample of the
filebeat section of the
filebeat.yml file. Filebeat uses predefined
default values for most configuration options.
filebeat.prospectors: - input_type: log paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\*
To configure Filebeat:
Define the path (or paths) to your log files.
For the most basic Filebeat configuration, you can define a single prospector with a single path. For example:
filebeat.prospectors: - input_type: log paths: - /var/log/*.log
The prospector in this example harvests all files in the path
/var/log/*.log, which means that Filebeat will harvest all files in the directory
/var/log/that end with
.log. All patterns supported by Golang Glob are also supported here.
To fetch all files from a predefined level of subdirectories, the following pattern can be used:
/var/log/*/*.log. This fetches all
.logfiles from the subfolders of
/var/log. It does not fetch log files from the
/var/logfolder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.
If you are sending output to Elasticsearch, set the IP address and port where Filebeat can find the Elasticsearch installation:
output.elasticsearch: hosts: ["192.168.1.42:9200"]
If you are sending output to Logstash, see Step 3: Configuring Filebeat to Use Logstash instead.
To test your configuration file, change to the directory where the Filebeat
binary is installed, and run Filebeat in the foreground with the following
./filebeat -configtest -e. Make sure your config files are
in the path expected by Filebeat (see Directory Layout). If you
installed from DEB or RPM packages, run
./filebeat.sh -configtest -e.
Before starting Filebeat, you should look at the configuration options in the
configuration file, for example
C:\Program Files\Filebeat\filebeat.yml or
/etc/filebeat/filebeat.yml. For more information about these options,
see Configuration Options (Reference).