How to use filebeat to filter the tomcate log?

Mohamed_Ibrahim · January 5, 2016, 6:09am

i installed Logstash and elasticsearch from the below tutorial
https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-centos-7

and tomcat logs successfully appear but i need to cut on the request on spastic words "Is that possible by Filtering "
the request
topup/img/pass_bg.png HTTP/1.1 304 - [Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0] http:///topup4/img/style_login.css

Also i need tutorial how to use Filter using filebeat ?

magnusbaeck · January 5, 2016, 6:38am

You'd increase your chances of getting help if you'd edit your post and move it to a relevant category; your question is unrelated to logstash-forwarder.

Unless it was added very recently, Filebeat doesn't support additional filtering of events, but Logstash certainly does. Have you read https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html?

Mohamed_Ibrahim · January 5, 2016, 6:51am

1-so in this case i should replace logstash-forwarder instead of filebeat on client if i need filter options.

2-i use the below tutorial to install logstash- forward

3-i got the below error when i try to restart logstash
[root@log-server init.d]# sudo service logstash-forwarder restart
nohup: appending output to `nohup.out'

any help

magnusbaeck · January 5, 2016, 6:54am

Filebeat replaces logstash-forwarder. logstash-forwarder is deprecated and you should use Filebeat instead. Neither are capable of filtering. Use Logstash for filtering messages.
That tutorial is rather old. I'd avoid it.
That's not an error message.

Mohamed_Ibrahim · January 5, 2016, 8:02am

1- so in my case i will use logstash-forwarder
2-could you provide me with better one
3-what is that if it's not a error

magnusbaeck · January 5, 2016, 8:08am

What? No! logstash-forwarder is deprecated. Don't use it.
I suggest you use the documentation and blog posts on elastic.co and ask specific questions on discuss.elastic.co when you run into trouble.
It's an informational message telling you that the output of a command is appended to a file named nohup.out. The init script you use for logstash-forwarder isn't very well-written.

Mohamed_Ibrahim · January 5, 2016, 8:58am

i got it, you need me to use filtering form log-stash not from logstash- forward, is that right ?

magnusbaeck · January 5, 2016, 9:33am

Yes, that's what I said.

Mohamed_Ibrahim · January 5, 2016, 11:26am

thanks Magnus for your support, but is there is any tutorial you recommend, as working from documentation is hard ?

dedemorton · January 5, 2016, 6:34pm

Hi Mohamed. We have a basic getting started topic for setting up Filebeat to work with the Elastic stack:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html. (Note that the instructions for setting up the stack itself are here: http://www.elastic.co/guide/en/beats/libbeat/1.0.1/getting-started.html.)

For information about filtering, you'll need to look in the Logstash Reference: https://www.elastic.co/guide/en/logstash/current/index.html

Note that the search functionality on the documentation page has very recently been enhanced. You can now constrain your search to specific documents (in addition to searching across the documentation set).

But it sounds like you might be looking for a more comprehensive tutorial that walks you through the setup for your specific use case. We have nothing quite like that at moment, but I'm really interested in hearing why you find it hard to work from the documentation.

Is your comment specific to the Elastic documentation, or do you just generally prefer working with tutorials?

If you are having trouble with the Elastic documentation, I'm really interested in hearing where you are encountering problems. Are you having trouble locating specific information? When you find the information, does it make sense? Is there simply not enough information for your specific use case?

Any specifics that you can provide will really help us improve the documentation.

Mohamed_Ibrahim · January 17, 2016, 11:05am

Hi dedemorton. Generally i would like to work from a tutorial step by step i try read the installations from your links but i found tutorial like is https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-logs-on-centos-62
is more easy ti kearn and implement ? i think it need to be more simple?

dedemorton · January 18, 2016, 6:06pm

Thanks for your response. Even though we try to make the documentation as task-focused as possible, working from a tutorial is definitely a different experience because it's tailored to a specific use case. Meanwhile, the documentation needs to apply to lots of different use cases.

We're making improvements to the documentation every day, though, so if you find specific instructions confusing or misleading, please do open an issue in GitHub (use the docs label), and we'll do our best to address it quickly.

And we'll continue to look for ways on our end to make the documentation easier to use.

Thanks!
DeDe