System moduleedit

The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.

When you run the module, it performs a few tasks under the hood:

  • Sets the default paths to the log files (but don’t worry, you can override the defaults)
  • Makes sure each multiline log event gets sent as a single event
  • Uses ingest node to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
  • Deploys dashboards for visualizing the log data

Compatibilityedit

This module was tested with logs from OSes like Ubuntu 12.04, Centos 7, and macOS Sierra.

This module requires the ingest-user-agent and ingest-geoip Elasticsearch plugins.

This module is not available for Windows.

Set up and run the moduleedit

Before doing these steps, verify that Elasticsearch and Kibana are running and that Elasticsearch is ready to receive data from Filebeat.

If you’re running our hosted Elasticsearch Service on Elastic Cloud, or you’ve enabled security in Elasticsearch and Kibana, you need to specify additional connection information before setting up and running the module. See Quick start: modules for common log formats for the complete setup.

To set up and run the module:

  1. Enable the module:

    deb and rpm:

    filebeat modules enable system

    mac:

    ./filebeat modules enable system

    win:

    PS > .\filebeat.exe modules enable system

    This command enables the module config defined in the modules.d directory. See Specify which modules to run for other ways to enable modules.

    To see a list of enabled and disabled modules, run:

    deb and rpm:

    filebeat modules list

    mac:

    ./filebeat modules list

    win:

    PS > .\filebeat.exe modules list
  2. Set up the initial environment:

    deb and rpm:

    filebeat setup -e

    mac:

    ./filebeat setup -e

    win:

    PS > .\filebeat.exe setup -e

    The setup command loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana. This is a one-time setup step.

    The -e flag is optional and sends output to standard error instead of syslog.

  3. Run Filebeat.

    If your logs aren’t in the default location, see Configure the moduleedit, then run Filebeat after you’ve set the paths variable.

    deb and rpm:

    service filebeat start

    mac:

    ./filebeat -e

    win:

    PS > Start-Service filebeat

    If the module is configured correctly, you’ll see INFO Harvester started messages for each file specified in the config.

    Note

    Depending on how you’ve installed Filebeat, you might see errors related to file ownership or permissions when you try to run Filebeat modules. See Config File Ownership and Permissions in the Beats Platform Reference for more information.

  4. Explore your data in Kibana:

    1. Open your browser and navigate to the Dashboard overview in Kibana: http://localhost:5601/app/kibana#/dashboards. Replace localhost with the name of the Kibana host. If you’re using an Elastic Cloud instance, log in to your cloud account, then navigate to the Kibana endpoint in your deployment.
    2. If necessary, log in with your Kibana username and password.
    3. Enter the module name in the search box, then open a dashboard and explore the visualizations for your parsed logs.

      Tip

      If you don’t see data in Kibana, try changing the date range to a larger range. By default, Kibana shows the last 15 minutes.

Example dashboardsedit

This module comes with sample dashboards. For example:

./images/kibana-system.png

Configure the moduleedit

You can further refine the behavior of the system module by specifying variable settings in the modules.d/system.yml file, or overriding settings at the command line.

The following example shows how to set paths in the modules.d/system.yml file to override the default paths for the syslog and authorization logs:

- module: system
  syslog:
    enabled: true
    var.paths: ["/path/to/log/syslog*"]
  auth:
    enabled: true
    var.paths: ["/path/to/log/auth.log*"]

To specify the same settings at the command line, you use:

-M "system.syslog.var.paths=[/path/to/log/syslog*]" -M "system.auth.var.paths=[/path/to/log/auth.log*]"

Variable settingsedit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the system module uses the defaults.

For more information, see Specify variable settings. Also see Advanced settings.

Tip

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, system.syslog.var.paths instead of syslog.var.paths.

syslog fileset settingsedit

var.paths
An array of paths that specify where to look for the log files. If left empty, Filebeat will choose the paths depending on your operating systems.
var.convert_timezone
If this option is enabled, Filebeat reads the local timezone and uses it at log parsing time to convert the timestamp to UTC. The local timezone is also added in each event in a dedicated field (beat.timezone). The conversion is only possible in Elasticsearch >= 6.1. If the Elasticsearch version is less than 6.1, the beat.timezone field is added, but the conversion to UTC is not made. The default is false.

auth fileset settingsedit

var.paths
An array of paths that specify where to look for the log files. If left empty, Filebeat will choose the paths depending on your operating systems.
var.convert_timezone
If this option is enabled, Filebeat reads the local timezone and uses it at log parsing time to convert the timestamp to UTC. The local timezone is also added in each event in a dedicated field (beat.timezone). The conversion is only possible in Elasticsearch >= 6.1. If the Elasticsearch version is less than 6.1, the beat.timezone field is added, but the conversion to UTC is not made. The default is false.

Fieldsedit

For a description of each field in the module, see the exported fields section.