Creating Dashboard for apache access logs using Filebeat

Filebeat yaml

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.manifest.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: log

  # Unique ID among all inputs, an ID is required.
  #id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
     - "/etc/testinglogs/apache-access.log"
   
    #- c:\programdata\manifestsearch\logs\*
    #logging:
    #files:
    #path: /var/log/filebeat
    #name: filebeat.log

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: /etc/filebeat/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false


  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= manifestsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.manifest.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
## This requires a Kibana endpoint configuration.
setup.kibana:
  host: "https://3.3.3.3:443"
  ssl.enabled: true
  ssl.verification_mode: "none"
  protocol: "https"
  setup.kibana.ssl.certificate_authorities: ["/etc/filebeat/kibana/ca.crt"]
  setup.kibana.ssl.certificate: "/etc/filebeat/kibana/ca.pem"
  setup.kibana.ssl.key: "/etc/filebeat/kibana/ca.key"
  username: "manifest"
  password: "manifest"
  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== manifest Cloud ================================

# These settings simplify using Filebeat with the manifest Cloud (https://cloud.manifest.co/).

# The cloud.id setting overwrites the `output.manifestsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the manifest Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.manifestsearch.username` and
# `output.manifestsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.
#output.file:
#  path: "/etc/testinglogs/testing1"
  #filename: "testing1"
#  overwrite_keys: true
#

# ---------------------------- manifestsearch Output ----------------------------
output.manifestsearch:
   # Array of hosts to connect to.
   hosts: ["https://2.2.2.2:9200"]
   #index: "mylogs-%{+yyyy.MM.dd}"
   #setup.dashboards.enabled: true
   username: "manifest"
   password: "manifest"
   ssl.enabled: true
   ssl.verification_mode: "none"
   #ssl.certificate_authorities:
   #       - /etc/filebeat/ca/ca.crt

  # Protocol - either `http` (default) or `https`.
   protocol: "https"
   
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
 - add_host_metadata: ~
    # when.not.contains.tags: forwarded
 - add_cloud_metadata: ~
 - add_docker_metadata: ~
 - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central manifestsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in manifestsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the manifestsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.manifestsearch
# is enabled, the UUID is derived from the manifestsearch cluster referenced by output.manifestsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to manifestsearch. Most settings from the
# manifestsearch output are accepted here as well.
# Note that the settings should point to your manifestsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the manifestsearch
# output configuration, so if you have the manifestsearch output configured such
# that it is pointing to your manifestsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.manifestsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true
#filebeat.modules:
        #- module: wazuh
        #alerts:
        #enabled: true
        #archives:
        # enabled: false
        #setup.template.json.enabled: true
       #setup.template.json.path: /etc/filebeat/wazuh-template.json
       #setup.template.json.name: wazuh
       #setup.template.overwrite: true
       #setup.ilm.enabled: false
       #

                                                       apache.yml
# Module: apache
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-module-apache.html

- module: apache
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/etc/testinglogs/apache-access.log"]
 
  # Error logs
  error:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: 


After setting true in filebeat.inputs in filebeat.yml and in apache.yml, I am able to get logs on kibana discover. I ran three commands after restarting filebeat yml.
1- sudo filebeat -e -c /etc/filebeat/filebeat.yml
2- filebeat -e setup --modules apache
3- filebeat setup --dashboards
After all this there is filebeat dashboards on kibana in dashboards section and index named filebeat-* created in index pattern and filebeat-7.17.9-2023.05.29-000001 in index management and filebeat-7.17.9-apache-access-pipeline and filebeat-7.17.9-apache-error-pipeline in ingest pipelines.
if i set up false in all that i you have asked there is everthing being created but there is no logs on kibana

In the filebeat.yml That ^^^ is not correct so I am not sure how any of this is working there is no manifestsearch output

Perhaps typo... While cleaning.

It seems like the apache.yml is not being read (or over written) can you run this command show the complete results, if you have other copies of it or other erroneous files in that directory that could be a problem

ls -lrt /etc/filebeat/modules.d

Did you try hard coding the pipeline?

that is a typo mistake in my original file manifest is replaced by elasticsearch.
Output of the command you have asked for
ls -lrt /etc/filebeat/modules.d

 594 Jan 31 16:53 zscaler.yml.disabled
 626 Jan 31 16:53 zoom.yml.disabled
 476 Jan 31 16:53 zookeeper.yml.disabled
1315 Jan 31 16:53 zeek.yml.disabled
 303 Jan 31 16:53 traefik.yml.disabled
 623 Jan 31 16:53 tomcat.yml.disabled
5883 Jan 31 16:53 threatintel.yml.disabled
 478 Jan 31 16:53 system.yml.disabled
 300 Jan 31 16:53 suricata.yml.disabled
 588 Jan 31 16:53 squid.yml.disabled
1245 Jan 31 16:53 sophos.yml.disabled
 605 Jan 31 16:53 sonicwall.yml.disabled
3711 Jan 31 16:53 snyk.yml.disabled
 588 Jan 31 16:53 snort.yml.disabled
 267 Jan 31 16:53 santa.yml.disabled
 567 Jan 31 16:53 redis.yml.disabled
 601 Jan 31 16:53 radware.yml.disabled
 344 Jan 31 16:53 rabbitmq.yml.disabled
 613 Jan 31 16:53 proofpoint.yml.disabled
 306 Jan 31 16:53 postgresql.yml.disabled
 359 Jan 31 16:53 pensando.yml.disabled
 598 Jan 31 16:53 panw.yml.disabled
 496 Jan 31 16:53 osquery.yml.disabled
 408 Jan 31 16:53 oracle.yml.disabled
 341 Jan 31 16:53 okta.yml.disabled
1536 Jan 31 16:53 o365.yml.disabled
 784 Jan 31 16:53 nginx.yml.disabled
 603 Jan 31 16:53 netscout.yml.disabled
 540 Jan 31 16:53 netflow.yml.disabled
 288 Jan 31 16:53 nats.yml.disabled
 472 Jan 31 16:53 mysql.yml.disabled
 430 Jan 31 16:53 mysqlenterprise.yml.disabled
 384 Jan 31 16:53 mssql.yml.disabled
 297 Jan 31 16:53 mongodb.yml.disabled
 476 Jan 31 16:53 misp.yml.disabled
1462 Jan 31 16:53 microsoft.yml.disabled
 472 Jan 31 16:53 logstash.yml.disabled
 473 Jan 31 16:53 kibana.yml.disabled
 399 Jan 31 16:53 kafka.yml.disabled
1437 Jan 31 16:53 juniper.yml.disabled
 367 Jan 31 16:53 iptables.yml.disabled
 598 Jan 31 16:53 infoblox.yml.disabled
 603 Jan 31 16:53 imperva.yml.disabled
 471 Jan 31 16:53 iis.yml.disabled
 652 Jan 31 16:53 icinga.yml.disabled
 296 Jan 31 16:53 ibmmq.yml.disabled
 377 Jan 31 16:53 haproxy.yml.disabled
1595 Jan 31 16:53 gsuite.yml.disabled
1512 Jan 31 16:53 google_workspace.yml.disabled
2023 Jan 31 16:53 googlecloud.yml.disabled
3021 Jan 31 16:53 gcp.yml.disabled
2406 Jan 31 16:53 fortinet.yml.disabled
1058 Jan 31 16:53 f5.yml.disabled
 328 Jan 31 16:53 envoyproxy.yml.disabled
 598 Jan 31 16:53 cylance.yml.disabled
 761 Jan 31 16:53 cyberark.yml.disabled
 724 Jan 31 16:53 cyberarkpas.yml.disabled
 302 Jan 31 16:53 crowdstrike.yml.disabled
 319 Jan 31 16:53 coredns.yml.disabled
5143 Jan 31 16:53 cisco.yml.disabled
 834 Jan 31 16:53 checkpoint.yml.disabled
 527 Jan 31 16:53 cef.yml.disabled
 602 Jan 31 16:53 bluecoat.yml.disabled
1078 Jan 31 16:53 barracuda.yml.disabled
1707 Jan 31 16:53 azure.yml.disabled
-rw-r--r--. 1 10575 Jan 31 16:53 aws.yml.disabled
2112 Jan 31 16:53 awsfargate.yml.disabled
 281 Jan 31 16:53 auditd.yml.disabled
 484 Jan 31 16:53 activemq.yml.disabled
1009 May  4 15:27 elasticsearch.yml.disabled
 515 May 29 15:10 apache.yml

And no i haven't tried har coding the pipeline.
And whenever i try to disable the input, no data is being shown on kibana under discover section

You edited the output so I can not see the permissions... which is what I wanted to see :frowning:
I asked for the complete output...

it should look something like this

...
-rw-r--r-- 1 root root 12262 Feb 12 04:36 aws.yml.disabled
-rw-r--r-- 1 root root   281 Feb 12 04:36 auditd.yml.disabled
-rw-r--r-- 1 root root   485 Feb 12 04:36 activemq.yml.disabled
-rw-r--r-- 1 root root   477 Mar 20 17:41 system.yml
-rw-r--r-- 1 root root   477 May 30 06:12 apache.yml

it seems pretty clear that the apache.yml is not being read probably because of some permissions or something, and or you have other permission issues... I am not sure how you are installing filebeat.

Anyways let try something else...

in the filebeat.yml

  1. Disable the filestream input
  2. Leave out the pipeline directive i mentioned above
  3. Put the code below at the bottom of filebeat.yml, this is how you load a module directly into the filebeat.yml
  4. Make sure it is indented properly
  5. just in case disable the apache module
    ./filebeat modules disable apache
  6. run filbeat again (clean data registry if needed before hand)
filebeat.modules:
  - module: apache
    access:
      enabled: true
      var.paths: ["/etc/testinglogs/apache-access.log"]
    error:
      enabled: true
total 300
-rw-r--r--. 1 root root   594 Jan 31 16:53 zscaler.yml.disabled
-rw-r--r--. 1 root root   626 Jan 31 16:53 zoom.yml.disabled
-rw-r--r--. 1 root root   476 Jan 31 16:53 zookeeper.yml.disabled
-rw-r--r--. 1 root root  1315 Jan 31 16:53 zeek.yml.disabled
-rw-r--r--. 1 root root   303 Jan 31 16:53 traefik.yml.disabled
-rw-r--r--. 1 root root   623 Jan 31 16:53 tomcat.yml.disabled
-rw-r--r--. 1 root root  5883 Jan 31 16:53 threatintel.yml.disabled
-rw-r--r--. 1 root root   478 Jan 31 16:53 system.yml.disabled
-rw-r--r--. 1 root root   300 Jan 31 16:53 suricata.yml.disabled
-rw-r--r--. 1 root root   588 Jan 31 16:53 squid.yml.disabled
-rw-r--r--. 1 root root  1245 Jan 31 16:53 sophos.yml.disabled
-rw-r--r--. 1 root root   605 Jan 31 16:53 sonicwall.yml.disabled
-rw-r--r--. 1 root root  3711 Jan 31 16:53 snyk.yml.disabled
-rw-r--r--. 1 root root   588 Jan 31 16:53 snort.yml.disabled
-rw-r--r--. 1 root root   267 Jan 31 16:53 santa.yml.disabled
-rw-r--r--. 1 root root   567 Jan 31 16:53 redis.yml.disabled
-rw-r--r--. 1 root root   601 Jan 31 16:53 radware.yml.disabled
-rw-r--r--. 1 root root   344 Jan 31 16:53 rabbitmq.yml.disabled
-rw-r--r--. 1 root root   613 Jan 31 16:53 proofpoint.yml.disabled
-rw-r--r--. 1 root root   306 Jan 31 16:53 postgresql.yml.disabled
-rw-r--r--. 1 root root   359 Jan 31 16:53 pensando.yml.disabled
-rw-r--r--. 1 root root   598 Jan 31 16:53 panw.yml.disabled
-rw-r--r--. 1 root root   496 Jan 31 16:53 osquery.yml.disabled
-rw-r--r--. 1 root root   408 Jan 31 16:53 oracle.yml.disabled
-rw-r--r--. 1 root root   341 Jan 31 16:53 okta.yml.disabled
-rw-r--r--. 1 root root  1536 Jan 31 16:53 o365.yml.disabled
-rw-r--r--. 1 root root   784 Jan 31 16:53 nginx.yml.disabled
-rw-r--r--. 1 root root   603 Jan 31 16:53 netscout.yml.disabled
-rw-r--r--. 1 root root   540 Jan 31 16:53 netflow.yml.disabled
-rw-r--r--. 1 root root   288 Jan 31 16:53 nats.yml.disabled
-rw-r--r--. 1 root root   472 Jan 31 16:53 mysql.yml.disabled
-rw-r--r--. 1 root root   430 Jan 31 16:53 mysqlenterprise.yml.disabled
-rw-r--r--. 1 root root   384 Jan 31 16:53 mssql.yml.disabled
-rw-r--r--. 1 root root   297 Jan 31 16:53 mongodb.yml.disabled
-rw-r--r--. 1 root root   476 Jan 31 16:53 misp.yml.disabled
-rw-r--r--. 1 root root  1462 Jan 31 16:53 microsoft.yml.disabled
-rw-r--r--. 1 root root   472 Jan 31 16:53 logstash.yml.disabled
-rw-r--r--. 1 root root   473 Jan 31 16:53 kibana.yml.disabled
-rw-r--r--. 1 root root   399 Jan 31 16:53 kafka.yml.disabled
-rw-r--r--. 1 root root  1437 Jan 31 16:53 juniper.yml.disabled
-rw-r--r--. 1 root root   367 Jan 31 16:53 iptables.yml.disabled
-rw-r--r--. 1 root root   598 Jan 31 16:53 infoblox.yml.disabled
-rw-r--r--. 1 root root   603 Jan 31 16:53 imperva.yml.disabled
-rw-r--r--. 1 root root   471 Jan 31 16:53 iis.yml.disabled
-rw-r--r--. 1 root root   652 Jan 31 16:53 icinga.yml.disabled
-rw-r--r--. 1 root root   296 Jan 31 16:53 ibmmq.yml.disabled
-rw-r--r--. 1 root root   377 Jan 31 16:53 haproxy.yml.disabled
-rw-r--r--. 1 root root  1595 Jan 31 16:53 gsuite.yml.disabled
-rw-r--r--. 1 root root  1512 Jan 31 16:53 google_workspace.yml.disabled
-rw-r--r--. 1 root root  2023 Jan 31 16:53 googlecloud.yml.disabled
-rw-r--r--. 1 root root  3021 Jan 31 16:53 gcp.yml.disabled
-rw-r--r--. 1 root root  2406 Jan 31 16:53 fortinet.yml.disabled
-rw-r--r--. 1 root root  1058 Jan 31 16:53 f5.yml.disabled
-rw-r--r--. 1 root root   328 Jan 31 16:53 envoyproxy.yml.disabled
-rw-r--r--. 1 root root   598 Jan 31 16:53 cylance.yml.disabled
-rw-r--r--. 1 root root   761 Jan 31 16:53 cyberark.yml.disabled
-rw-r--r--. 1 root root   724 Jan 31 16:53 cyberarkpas.yml.disabled
-rw-r--r--. 1 root root   302 Jan 31 16:53 crowdstrike.yml.disabled
-rw-r--r--. 1 root root   319 Jan 31 16:53 coredns.yml.disabled
-rw-r--r--. 1 root root  5143 Jan 31 16:53 cisco.yml.disabled
-rw-r--r--. 1 root root   834 Jan 31 16:53 checkpoint.yml.disabled
-rw-r--r--. 1 root root   527 Jan 31 16:53 cef.yml.disabled
-rw-r--r--. 1 root root   602 Jan 31 16:53 bluecoat.yml.disabled
-rw-r--r--. 1 root root  1078 Jan 31 16:53 barracuda.yml.disabled
-rw-r--r--. 1 root root  1707 Jan 31 16:53 azure.yml.disabled
-rw-r--r--. 1 root root 10575 Jan 31 16:53 aws.yml.disabled
-rw-r--r--. 1 root root  2112 Jan 31 16:53 awsfargate.yml.disabled
-rw-r--r--. 1 root root   281 Jan 31 16:53 auditd.yml.disabled
-rw-r--r--. 1 root root   484 Jan 31 16:53 activemq.yml.disabled
-rw-r--r--. 1 root root  1009 May  4 15:27 elasticsearch.yml.disabled
-rw-r--r--. 1 root root   515 May 29 15:10 apache.yml

whenever i disable the input section no logs are there on the kibana but dashboard is there with filebeat index in index pattern, index management and index lifecycle management.

I have disabled the modules but i dont know which part should be at the end of filebeat.yml and I tried hard coding the pipeline.
I have used the following commands for installation of filebeat

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.10-x86_64.rpm
sudo rpm -vi filebeat-7.17.10-x86_64.rpm

after that i have simply configured the filebeat.yml and have enabled the apache.yml

and i think the logs that are displayed in discover of kibana are not being parsed which is why i am not able to use the dashboards. otherwise both index and dashboard are created on kibana and logs are also coming . Is there a way by which i can parse them so that their fields match the fields of dashboard

Add this code to the end of your filebeat.yml Did you do that?
Did you follow the instructions above.

How are you stopping and starting filebeat.

Apologies, I'm out of ideas at this point.

There's something simple going on which I cannot see.

BTW If elasticsearch is 7.17.5 you should use filebeat same version (probably not the issue)

one other thought ... if the post right above does not work

remove / complete delete .rpm installation

Download the tar.gz installation of filebeat and configure and run filebeat from the un-tarred directory in the foreground

Follow the quickstart with the tar LINUX instructions / tabs

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.5-linux-x86_64.tar.gz
tar xzvf filebeat-7.17.5-linux-x86_64.tar.gz

the code that you are asking to add in the filebeat.yml. This is present in apache.yml under modules.d. Do i need to add it in filebeat.yml?
It would be a great help if you tell me how you have configured filebeat starting from installation to configuration.

commands for starting and stopping ---
systemctl restart filebeat
systemctl stop filebeat
systemctl start filebeat

Yes I am asking you to add it to the filebeat.yml to help debug... We have tried many things and has not worked.

I'm trying to help you debug!

That means trying many things...

Once we figure out what's wrong or how to make it work then we can figure out why.

The basic steps are not working.
This usually takes about 10 minutes start to finish. With the normal process... I showed you above way earlier in this that I did all of that got your logs loaded into the dashboards that took me about 5 minutes to do.

There is something wrong with how you're doing it or your environment. I do not know what it is..

The only way to figure it out is to try things..

That's what I'm trying to do...

So yes I'm basically asking you to put the same that's in the apache.yml at the bottom of the filebeat.yml

But you need to do it how I showed it exactly. Copy it from above and fix the path if you need to. Put it at the bottom of the filebeat.yml

No this is not what you need to normally do but again we are trying to debug....

Assuming you have followed all the normal steps, it's not working so we're trying different steps.

I've also given you another suggestion to download the tar.gz and try to do it all in one directory...

We are trying to figure out how to make it work!

And finally you keep asking me how to install and I keep telling you to use the quick start guide.

All the steps are right there.

That is what I followed.

So if that is what you follow, there is a fundamental error in your system or the commands you're running.

Sorry, I can't help you debug your environment I can only make suggestions

1 Like

OK
so I have to disable the input part of filebeat.yml and then I should add the apache.yml part at the end of filebeat .yml. I should disable apache.yml also.
and then i should use two commands

./filebeat setup -e

Then I ran filebeat

./filebeat -e

Then I look in Discover

Directions I gave earlier

Ues run setup then start

If this does not work, you should use the tar.gz

In this line are you telling me to remove this line - pipeline: filebeat-7.17.9-apache-access-pipeline?

Yes, You told me you never tried it .. or perhaps you did and did not tell me I have lost track.

Late here done for the night .. Good Luck

ok thankyou