Moving away from logstash-forwarder, and missing a couple of options


(Don Pich) #1

I was able to get the installation and configuration of filebeats working fine with one exception.

I am trying to set the output of my beats to follow the following logstash-forwarder configuration:

"files":
  [
     {
         "paths"  : ["/var/log/exim4/mainlog"],
         "fields" : { "logFormat":"exim4","logType":"mailLog" }
     },
         "paths": ["/var/log/syslog"],
         "fields" : {"logFormat":"debiansyslog","logType":"sysLog"}
     },
     {
        "paths": ["/var/log/auth.log"],
        "fields" : {"logFormat":"debiansyslog","logType":"authLog"}
     }
  ]
}

So my simple understanding of the filebeat.yml file, I tried to put this in:

  prospectors:
    # Exim Mail Logs
    - paths:
      - /var/log/exim4/mainlog
      document_type: mailLog

    # syslog
    - paths:
      - /var/log/syslog
      document_type: sysLog

    # authlog
    - paths:
      - /var/log/auth.log
      document_type: authlog

I have my grok and output filters setup to do stuff with logFormat and logType. So without reinventing the wheel, how can I get the same type of information to pump out of filebeats?


(Mark Walkom) #2

Looks like https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#configuration-fields would do what you want.


(system) #3