Creating custom filebeat module

ep4sh · January 4, 2019, 12:32pm

Okay, i read https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html
And i almost have done:

mkdir -p ${GOPATH}/src/github.com/elastic
cd ${GOPATH}/src/github.com/elastic
git clone https://github.com/elastic/beats.git
make create-module MODULE=p5sh
make create-fileset MODULE=p5sh FILESET=p5shset

After i create pipeline
Then:

make create-fields
make update

What next? How can i enable new module with my system? Documentation breaks off on make update and test

Evesy · January 4, 2019, 4:04pm

Hey @ep4sh,

I've created a few modules for our Filebeat, albeit I haven't actually used any of the Makefile's to do so, however from what I can see they just help scaffold the relevant file structure.

It sounds like you have your module configured and the structure probably looks like the below?

module/{module}
├── module.yml
└── _meta
    └── docs.asciidoc
    └── fields.yml
    └── kibana

If this is the case you should just need to enable that module when you run Filebeat. There are a number of ways to do this outlined here: https://www.elastic.co/guide/en/beats/filebeat/master/configuration-filebeat-modules.html

You can verify the module is enabled by running filebeat modules list

ep4sh · January 9, 2019, 3:04pm

Thanks for your reply! I have some comments to my Q.

I have installed services of filebeat on every machine (debian 9 + filebeat.service installed from .deb file).

Now i should to add my custom module
I have configured it (look my mess #1) and build
Also i found, that module i built founded in:

$GOPATH/src/github.com/elastic/beats/filebeat/build/module/p5sh

Yes, it has the same structure, like in your post.

But also i know that system modules are founded in:

/usr/share/filebeat/module/*

So when i do sudo filebeat modules list - i dont see my custom module.

Question:
How can correct to deploy my custom module?
Copy from $GOPATH/src/github.com/elastic/beats/filebeat/build/module/p5sh? Or what?
It`s unclear for me and it is missing in doc. Thanks for yours reply.

UPD. I tried with standalone filebeat from .tar.gz, copied into modules directory my custom module - it works fine.

But when i copy to /usr/share/filebeat/module - it doesnt work.

Evesy · January 10, 2019, 10:56am

Copying into /usr/share/filebeat/module is what I'm familiar with. Inside that directory I have something like the below:

ingress-nginx/
|-- _meta
|   |-- config.yml
|   `-- fields.yml
|-- access
|   |-- config
|   |   `-- access.yml
|   |-- ingest
|   |   `-- pipeline.json
|   `-- manifest.yml
`-- error
    |-- config
    |   `-- error.yml
    |-- ingest
    |   `-- pipeline.json
    `-- manifest.yml

In addition to that, within /usr/share/filebeat/modules.d/ I have corresponding files to enable the module:

$ cat ingress-nginx.yml
- module: ingress-nginx
  access:
    enabled: true
  error:
    enabled: true

You don't have the filebeat.config.modulesconfig option set pointing at the incorrect location by any chance?

system · February 7, 2019, 10:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.