Reecently, I moved from logstash-forwarder to filebeat on my linux nodes. Prior to the change, I had geoip working well. This is the stanza in logstash-forwarder.conf which, along with the input and filter configs on my logstash server made geoip work:
Once I moved to filebeat, I added all of the required information in filebeat.yml. However, I see no equivalent to the above logstash-forwarder stanza. And, at any rate, geoip doesn't work. Can someone help me get back to good?
What does your Filebeat configuration look like? Make sure you format it as code with the </> button on the toolbar. What do the resulting Logstash events look like?
The filebeat config file is located here: http://pastebin.com/D0kgZMAZ. Sorry it's so long; I've left in all of the comments from the original.
Nowhere in this file are you setting the type field to "apache-access" like you've been doing previously in logstash-forwarder. Look at the document_type option.
As to current output, here's what I get from kibana (what other way is their to get output?):
A stdout { codec => rubydebug } output on the Logstash side is a good way of dumping exactly what Logstash sees and avoiding the complexity of ES and Kibana.
Finally, what </> button? I'm accessing the data via Kibana.
OK. First, because my config file is based on the stock/default one, I'm probably better off using just the declarations I need. My paths are listed thusly:
and my document_type is specified further down as simply:
document_type: syslog
when what I should be doing is:
paths:
- /var/log/secure
document_type: syslog
- /var/log/messages
document_type: syslog
- /var/log/httpd/access_log
document_type: apache_access
- /var/log/yum.log
document_type: NOT SURE ABOUT THIS ONE <--- Do you know, or can you suggest, type for yum?
The change in type didn't work. Remembering that I've made no changes to my logstash configs, when it worked with the logstash-forwarder, here's what the stanza in logstash-forwarder.conf looked like:
Oh, stupid me!!! I had the type as "apache_access", when it should have been "apache-access". All good, now. Magnus, thanks for pointing me in the right direction. I get the prospectors piece in filebeat.conf now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.