2019-06-20 10:22:18 -04:00
|
|
|
|
[role="xpack"]
|
|
|
|
|
[testenv="basic"]
|
|
|
|
|
[[configuring-filebeat]]
|
2019-09-24 13:35:06 -04:00
|
|
|
|
== Collecting {es} log data with {filebeat}
|
2019-06-20 10:22:18 -04:00
|
|
|
|
|
|
|
|
|
[subs="attributes"]
|
|
|
|
|
++++
|
|
|
|
|
<titleabbrev>Collecting log data with {filebeat}</titleabbrev>
|
|
|
|
|
++++
|
|
|
|
|
|
|
|
|
|
You can use {filebeat} to monitor the {es} log files, collect log events, and
|
|
|
|
|
ship them to the monitoring cluster. Your recent logs are visible on the
|
|
|
|
|
*Monitoring* page in {kib}.
|
|
|
|
|
|
|
|
|
|
//NOTE: The tagged regions are re-used in the Stack Overview.
|
|
|
|
|
|
|
|
|
|
. Verify that {es} is running and that the monitoring cluster is ready to
|
|
|
|
|
receive data from {filebeat}.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
TIP: In production environments, we strongly recommend using a separate cluster
|
|
|
|
|
(referred to as the _monitoring cluster_) to store the data. Using a separate
|
|
|
|
|
monitoring cluster prevents production cluster outages from impacting your
|
|
|
|
|
ability to access your monitoring data. It also prevents monitoring activities
|
|
|
|
|
from impacting the performance of your production cluster. See
|
|
|
|
|
{stack-ov}/monitoring-production.html[Monitoring in a production environment].
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Enable the collection of monitoring data on your cluster.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
include::configuring-metricbeat.asciidoc[tag=enable-collection]
|
|
|
|
|
|
|
|
|
|
For more information, see <<monitoring-settings>> and <<cluster-update-settings>>.
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Identify which logs you want to monitor.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
The {filebeat} {es} module can handle
|
|
|
|
|
{stack-ov}/audit-log-output.html[audit logs],
|
|
|
|
|
{ref}/logging.html#deprecation-logging[deprecation logs],
|
|
|
|
|
{ref}/gc-logging.html[gc logs], {ref}/logging.html[server logs], and
|
|
|
|
|
{ref}/index-modules-slowlog.html[slow logs].
|
|
|
|
|
For more information about the location of your {es} logs, see the
|
|
|
|
|
{ref}/path-settings.html[path.logs] setting.
|
|
|
|
|
|
|
|
|
|
IMPORTANT: If there are both structured (`*.json`) and unstructured (plain text)
|
|
|
|
|
versions of the logs, you must use the structured logs. Otherwise, they might
|
|
|
|
|
not appear in the appropriate context in {kib}.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. {filebeat-ref}/filebeat-installation.html[Install {filebeat}] on the {es}
|
|
|
|
|
nodes that contain logs that you want to monitor.
|
|
|
|
|
|
|
|
|
|
. Identify where to send the log data.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
// tag::output-elasticsearch[]
|
|
|
|
|
For example, specify {es} output information for your monitoring cluster in
|
|
|
|
|
the {filebeat} configuration file (`filebeat.yml`):
|
|
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----------------------------------
|
|
|
|
|
output.elasticsearch:
|
|
|
|
|
# Array of hosts to connect to.
|
|
|
|
|
hosts: ["http://es-mon-1:9200", "http://es-mon2:9200"] <1>
|
|
|
|
|
|
|
|
|
|
# Optional protocol and basic auth credentials.
|
|
|
|
|
#protocol: "https"
|
|
|
|
|
#username: "elastic"
|
|
|
|
|
#password: "changeme"
|
|
|
|
|
----------------------------------
|
|
|
|
|
<1> In this example, the data is stored on a monitoring cluster with nodes
|
|
|
|
|
`es-mon-1` and `es-mon-2`.
|
|
|
|
|
|
|
|
|
|
If you configured the monitoring cluster to use encrypted communications, you
|
|
|
|
|
must access it via HTTPS. For example, use a `hosts` setting like
|
|
|
|
|
`https://es-mon-1:9200`.
|
|
|
|
|
|
|
|
|
|
IMPORTANT: The {es} {monitor-features} use ingest pipelines, therefore the
|
|
|
|
|
cluster that stores the monitoring data must have at least one
|
|
|
|
|
<<ingest,ingest node>>.
|
|
|
|
|
|
|
|
|
|
If {es} {security-features} are enabled on the monitoring cluster, you must
|
|
|
|
|
provide a valid user ID and password so that {filebeat} can send metrics
|
|
|
|
|
successfully.
|
|
|
|
|
|
|
|
|
|
For more information about these configuration options, see
|
|
|
|
|
{filebeat-ref}/elasticsearch-output.html[Configure the {es} output].
|
|
|
|
|
// end::output-elasticsearch[]
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Optional: Identify where to visualize the data.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
// tag::setup-kibana[]
|
|
|
|
|
{filebeat} provides example {kib} dashboards, visualizations and searches. To
|
|
|
|
|
load the dashboards into the appropriate {kib} instance, specify the
|
|
|
|
|
`setup.kibana` information in the {filebeat} configuration file
|
|
|
|
|
(`filebeat.yml`) on each node:
|
|
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----------------------------------
|
|
|
|
|
setup.kibana:
|
|
|
|
|
host: "localhost:5601"
|
|
|
|
|
#username: "my_kibana_user"
|
|
|
|
|
#password: "YOUR_PASSWORD"
|
|
|
|
|
----------------------------------
|
|
|
|
|
|
|
|
|
|
TIP: In production environments, we strongly recommend using a dedicated {kib}
|
|
|
|
|
instance for your monitoring cluster.
|
|
|
|
|
|
|
|
|
|
If {security-features} are enabled, you must provide a valid user ID and
|
|
|
|
|
password so that {filebeat} can connect to {kib}:
|
|
|
|
|
|
|
|
|
|
.. Create a user on the monitoring cluster that has the
|
|
|
|
|
{stack-ov}/built-in-roles.html[`kibana_user` built-in role] or equivalent
|
|
|
|
|
privileges.
|
|
|
|
|
|
|
|
|
|
.. Add the `username` and `password` settings to the {es} output information in
|
|
|
|
|
the {filebeat} configuration file. The example shows a hard-coded password, but
|
|
|
|
|
you should store sensitive values in the
|
|
|
|
|
{filebeat-ref}/keystore.html[secrets keystore].
|
|
|
|
|
|
|
|
|
|
See {filebeat-ref}/setup-kibana-endpoint.html[Configure the {kib} endpoint].
|
|
|
|
|
|
|
|
|
|
// end::setup-kibana[]
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Enable the {es} module and set up the initial {filebeat} environment on each
|
|
|
|
|
node.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
// tag::enable-es-module[]
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
|
|
["source","sh",subs="attributes,callouts"]
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
filebeat modules enable elasticsearch
|
|
|
|
|
filebeat setup -e
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
For more information, see
|
|
|
|
|
{filebeat-ref}/filebeat-module-elasticsearch.html[{es} module].
|
|
|
|
|
|
|
|
|
|
// end::enable-es-module[]
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Configure the {es} module in {filebeat} on each node.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
// tag::configure-es-module[]
|
|
|
|
|
If the logs that you want to monitor aren't in the default location, set the
|
|
|
|
|
appropriate path variables in the `modules.d/elasticsearch.yml` file. See
|
|
|
|
|
{filebeat-ref}/filebeat-module-elasticsearch.html#configuring-elasticsearch-module[Configure the {es} module].
|
|
|
|
|
|
|
|
|
|
IMPORTANT: If there are JSON logs, configure the `var.paths` settings to point
|
|
|
|
|
to them instead of the plain text logs.
|
|
|
|
|
|
|
|
|
|
// end::configure-es-module[]
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. {filebeat-ref}/filebeat-starting.html[Start {filebeat}] on each node.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
NOTE: Depending on how you’ve installed {filebeat}, you might see errors related
|
|
|
|
|
to file ownership or permissions when you try to run {filebeat} modules. See
|
|
|
|
|
{beats-ref}/config-file-permissions.html[Config file ownership and permissions].
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Check whether the appropriate indices exist on the monitoring cluster.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
For example, use the {ref}/cat-indices.html[cat indices] command to verify
|
|
|
|
|
that there are new `filebeat-*` indices.
|
|
|
|
|
|
|
|
|
|
TIP: If you want to use the *Monitoring* UI in {kib}, there must also be
|
|
|
|
|
`.monitoring-*` indices. Those indices are generated when you collect metrics
|
|
|
|
|
about {stack} products. For example, see <<configuring-metricbeat>>.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. {kibana-ref}/monitoring-data.html[View the monitoring data in {kib}].
|