Logstash pipeline for parsing with filebeat module

Tek_Chand · October 14, 2019, 9:59am

Hello Team,

Currently we are using ELK 6.4.0 but now we want to upgrade on ELK 7.4.0 to use SIEM feature. So we are setting up our testing environment first before making change in prod environment.

In ELK version 6.4.0 i have used logstash pipeline for parsing to use the filebeat dashboard because we are using Logstash. I have followed the below link at that time:

Logstash pipeline

Earlier we have no need to enable filebeat module to use logstash pipeline and its working fine.

In version ELK 7.4.0 i used same approach but it didn't work. Then i search the documentation
Logstash pipeline for parsing

Form this document i understand that we need to enable the filebeat module also e.g system, nginx etc and then we can use logstash pipeline for parsing but it was not required in earlier version like 6.4.0.
I am going in right way or not?

Please help me.

Thanks.

Tek_Chand · October 15, 2019, 6:19am

After reading the documentation i am able to implement it.

But filebeat logs are going into syslog. I want to send them in /var/log/filebeat. I have tried below config in filebeat.yml:

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

But still logs are goes into syslog

Can you please help me on this issue?

Thanks.

system · November 12, 2019, 7:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.