Hi all,
I'am trying to configure filebeat to send apache logs to ELK ,but
something goes wrong.
My set up is the following :
Server : Centos7
Elasticsearch : 2.4.4
Logstash : 2.3.4
Kibana : 4.5.4
Client : Centos7
Filebeat : 1.3.1
Apache : 2.4.6
On Client the filebeat.yml has the following:
-
paths: - /var/log/messages input_type: syslog document_type: syslog fields_under_root: true -
paths: - /var/log/httpd/access.log input_type: log document_type: apache-access fields_under_root: true
On Server ,under /etc/logstash/conf.d i have :
01-apache.conf :
input {
beats {
port => "5043"
}
}
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}
output {
stdout { codec => rubydebug }
}
and
logstash.conf :
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/certs/logstash-forwarder.key"
congestion_threshold => "40"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
When im running : filebeat -e -c filebeat.yml -d "publish" on Client in order to check messages,it seems that only harvests /var/log/messages :
2017/04/04 09:24:17.718663 publish.go:109: DBG Publish: {
"@timestamp": "2017-04-04T09:24:15.215Z",
"beat": {
"hostname": "client",
"name": "client"
},
"count": 1,
"input_type": "log",
"message": "Apr 4 09:20:02 elkclient systemd[1]: Starting Session 668 of user root.",
"offset": 714805,
"source": "/var/log/messages",
"type": "syslog"
It doesn't even read the apache prospector ,what i'am doing wrong ?
Thank you
George