Can I use a filebeat server for centralize log collected data from many different devices?

siranee.ja · January 27, 2022, 5:44am

This is my example infra as the question.

Fortinet device
Haproxy Server
Apache Server
A filebeat server
An ELK stack server

device                               a filebeat server                                                an elk stack server
Fortinet device  ---> filebeat with module fortinet on port 9400  --> logstash->elasticsearch->kibana

haproxy server -->  filebeat with module haproxy on port 514  -->
apache server -->  filebeat with module apache on port 514  -->

Is this possible or not possible?
If this is not possbile. What is the best practice?

mtojek · January 28, 2022, 10:56am

Filebeat is a lightweight data shipper, so it's better to configure a few instances close to the monitored device or service. If you want to depend on a single central instance of filebeat, you will have a serious outage if it dies (single point of failure, no logging at all).

legoguy1000 · January 28, 2022, 2:59pm

Also the haproxy and Apache modules are designed to read the log files directly on the server not receive them via syslog.

siranee.ja · January 31, 2022, 6:11am

Thanks for your advise.

siranee.ja · January 31, 2022, 6:16am

Ok, for the device which I can install filebeat, I should install on the  device. How about network device which I couldn't install filebeat  for example
Fortigate 2 devices
Mikrotik 2 devices
Should I set  up  2 vms for install filebeat and receive logs via syslog from separated each branded devices or 4 vms for each device?

system · February 28, 2022, 8:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.