Filebeat installation question?

  1. where to install filebeat,
    after i finish to installing elsticsearch ,logstash and kibana.

  2. how to configure logstash to use log file downloaded.

Kindly assist me on this, Thank you in advance

Hello! You can run Filebeat locally or wherever your Elasticsearch/Kibana is.
Maybe this will help :slightly_smiling_face: https://www.elastic.co/guide/en/logstash/current/first-event.html#first-event
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

Thank you kaiyan for your assistance,

I still having some confused on how to configure logstash,

i want to configure in way it will parse this kind of event;

having these fields;

src_ip=x.x.x.x dest_ip=x.x.x.x dest_port=x signature= (like DOS_udp ) or signature=(like http_put_method) action=allowed or action=blocked host= device_ip count=x host_name= x_name time=yyyy-mm-dd hh-mm-ss

how can i configure this,
This is a syslog and how can configure the syslog sender to forward logs into logstash,as this syslog sender not enabling filebeat to be installed on that syslog sender it doesn't have an OS on it.
I need help on this Thank you in advance

Hi paci,

syslog sender not enabling filebeat to be installed on that syslog sender it doesn't have an OS on it.

You can tell the syslog sender to forward logs to another machine that has filebeat(or logstash) installed on it.
Could you tell us what kind of device is your syslog sender?

Thank you dear Borna, for your prompt response
@This is a network device Intrusion Prevention system, But still i don't know how to do configuration
on the logstash to parse the logs like it is done in Grok debugger, i have mentioned in the above how my logs looks and i want to extract them by fetching the above information from the raw events, How can i do that?
So far i have installed elasticsearch ,kibana and logstash, but configuration in logstash that is where i got stuck, help me with your guidance at this step Thank you.

Hi @pacy1, you will probably get more help about logstash in logstash forum: https://discuss.elastic.co/c/elastic-stack/logstash

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.