To configure Filebeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at
Docker, it’s located at
/usr/share/filebeat/filebeat.yml. For mac and win,
look in the archive that you just extracted.
There’s also a full example configuration file called
that shows all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
Here is a sample of the
filebeat section of the
filebeat.yml file. Filebeat uses predefined
default values for most configuration options.
filebeat.inputs: - type: log enabled: true paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\*
To configure Filebeat:
Define the path (or paths) to your log files.
For the most basic Filebeat configuration, you can define a single input with a single path. For example:
filebeat.inputs: - type: log enabled: true paths: - /var/log/*.log
The input in this example harvests all files in the path
/var/log/*.log, which means that Filebeat will harvest all files in the directory
/var/log/that end with
.log. All patterns supported by Golang Glob are also supported here.
To fetch all files from a predefined level of subdirectories, the following pattern can be used:
/var/log/*/*.log. This fetches all
.logfiles from the subfolders of
/var/log. It does not fetch log files from the
/var/logfolder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.
Configure the output. Filebeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.
To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:
If you’re running Elasticsearch on your own hardware, set the host and port where Filebeat can find the Elasticsearch installation. For example:
output.elasticsearch: hosts: ["myEShost:9200"]
If you plan to use the sample Kibana dashboards provided with Filebeat, configure the Kibana endpoint. You can skip this step if Kibana is running on the same host as Elasticsearch.
If Elasticsearch and Kibana are secured, set credentials in the
filebeat.ymlconfig file before you run the commands that set up and start Filebeat.
If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:
This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Filebeat uses the
passwordspecified for the Elasticsearch output.
For more information, see Securing Filebeat.
Before starting Filebeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Filebeat.