Step 2: Configure Filebeatedit

Tip

Filebeat modules provide the fastest getting started experience for common log formats. See Quick start for common log formats to learn how to get started with modules. If you use Filebeat modules to get started, you can skip the content in this section, including the remaining getting started steps, and go directly to the Quick start for common log formats page.

To configure Filebeat, you edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/filebeat/filebeat.yml. Under Docker, it’s located at /usr/share/filebeat/filebeat.yml. For mac and win, look in the archive that you just extracted. There’s also a full example configuration file called filebeat.reference.yml that shows all non-deprecated options.

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

Here is a sample of the filebeat section of the filebeat.yml file. Filebeat uses predefined default values for most configuration options.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

To configure Filebeat:

  1. Define the path (or paths) to your log files.

    For the most basic Filebeat configuration, you can define a single input with a single path. For example:

    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        - /var/log/*.log

    The input in this example harvests all files in the path /var/log/*.log, which means that Filebeat will harvest all files in the directory /var/log/ that end with .log. All patterns supported by Golang Glob are also supported here.

    To fetch all files from a predefined level of subdirectories, the following pattern can be used: /var/log/*/*.log. This fetches all .log files from the subfolders of /var/log. It does not fetch log files from the /var/log folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.

  2. If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Filebeat can find the Elasticsearch installation:

    output.elasticsearch:
      hosts: ["192.168.1.42:9200"]

    If you are sending output to Logstash, make sure you configure the Logstash output in Step 3: Configure Filebeat to use Logstash.

  3. If you plan to use the sample Kibana dashboards provided with Filebeat, configure the Kibana endpoint:

    setup.kibana:
      host: "localhost:5601"

    Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.

    Note

    If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.

  4. If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Filebeat. For example:

    output.elasticsearch:
      hosts: ["myEShost:9200"]
      username: "filebeat_internal"
      password: "{pwd}" 
    setup.kibana:
      host: "mykibanahost:5601"
      username: "my_kibana_user"  
      password: "{pwd}"

    This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

    The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Filebeat uses the username and password specified for the Elasticsearch output.

    If you are planning to set up the Kibana dashboards, the user must have the kibana_user built-in role or equivalent privileges.

    For more information, see Securing Filebeat.

Before starting filebeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Filebeat.