JournalBeat Logstash configuration

I am trying to get the JournalBeat installed and working, so it can take my systemd logs and send them to ElasticSearch. I am running Centos 7.3.

The steps I completed:

1. I have downloaded the zip file file from https://github.com/mheese/journalbeat and extracted the contents under /usr/local/bin.
   2)I have my journalbeat.yml file placed under /usr/local/bin/journalbeat-master/etc
   3)I have Logstash configuration as follows:
   input {
   beats {
   port => 5044
   }
   }
   filter {
   if [type] == "journal" {
   json {
   source => "message"
   skip_on_invalid_json => true
   }
   }
   }

output {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "syslog-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
4)I started logstash with the configuration file and see that I am listening on port 5044.

I do not see any systemd output in my console or anything in the index.
Can you please let me know how to configure this correctly?

I managed to get journalbeat installed and possible to start, thanks to this thread:

How can I get this to take my logs from systemd and send them to ES?

The answer is to specify specific services you want to monitor in journalbeat.yml, under units section, for example:
units: ["sshd.service"]

This topic was automatically closed after 28 days. New replies are no longer allowed.