Filebeat's module using Logstash

Elezium · November 1, 2017, 3:01pm

Hi,

I'm facing issue with Filebeat's module and Logstash,

If I use FileBeat and set the output to Elastic Search, everything seems to run fine. But if I output to LogStash, I do see the data in Elasticsearch but they doesn't seems to be "tagged" properly and the information doesn't appears in the Dashboard.

Here's my config file:

filebeat.yml

filebeat.modules:
- module: system
- module: auditd

#output.elasticsearch:
  # Array of hosts to connect to.
#  hosts: ["localhost:9200"]

output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

logstash.conf

input {
  beats {
    port => 5044
  }
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
output {
  elasticsearch {
    hosts => localhost
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

I've try to use ES output first, and then swtich to Logstash, but same issue, the data doesn't appears to be "tagged" properly. I've read the documentation and I've try the -setup -E switch, like so:
/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/fileBeat -e -modules=system -setup -E "output.elasticsearch.hosts=["http://localhost:9200"]"

That seems to connect to ES first, and then use Logstash but it seems a bit hackish.

Does the Filebeat modules support Logstash or we should use ES directly?

Sorry if it's not totally clear, pretty new to ELK.

Thanks.

andrewkroh · November 1, 2017, 6:56pm

Currently FB modules only work when sending directly to Elasticsearch (because they use Ingest Node). The docs provide good overview on this.

Elezium · November 1, 2017, 7:33pm

Thanks.

To use LogStash, I would have to write own pipeline, correct?

pierhugues · November 1, 2017, 7:39pm

@Elezium Correct, you can also use the ingest-convert which is shipped with Logstash to help you with the transition. See this blog post for more details

andrewkroh · November 1, 2017, 9:12pm

Also here are docs for the ingest-converter: https://www.elastic.co/guide/en/logstash/5.6/ingest-converter.html

The auditd module won't convert nicely because it uses a painless script to parse the data. Anyways I would recommend using Auditbeat to collect this data if possible.

Elezium · November 2, 2017, 2:11am

Thanks both @pierhugues and @andrewkroh .

We setup FileBeat using ES directly, so far so good.

Appreciate your time.

system · November 30, 2017, 2:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat/Logstash doesn't send system.auth.. field data to Elastic Search - v 7.14 Beats beats-module , filebeat	3	406	September 15, 2021
Filebeat system module Beats filebeat	7	3475	October 29, 2018
From Filebeat to Logstash (and next to Elasticsearch) - pipeline processing Beats filebeat	3	237	January 27, 2023
Filebeat --> Logstash works but directly to Elasticsearch = nothing Beats filebeat	5	542	April 10, 2018
Beats => Logstash => Elasticsearch ingestion Logstash	14	1318	September 24, 2019

Filebeat's module using Logstash

Related topics