Configuring Topbeat to Use Logstashedit

If you want to use Logstash to perform additional processing on the data collected by Topbeat, you need to configure Topbeat to use Logstash.

To do this, you edit the Topbeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:

    hosts: [""]

The hosts option specifies the Logstash server and the port (5044) where Logstash is configured to listen for incoming Beats connections.

For this configuration, you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.

To test your configuration file, run Topbeat in the foreground with the following options specified: ./topbeat -configtest -e.

To use this configuration, you must also set up Logstash to receive events from Beats.