Moving away from logstash-forwarder, and missing a couple of options

(Don Pich) #1

I was able to get the installation and configuration of filebeats working fine with one exception.

I am trying to set the output of my beats to follow the following logstash-forwarder configuration:

         "paths"  : ["/var/log/exim4/mainlog"],
         "fields" : { "logFormat":"exim4","logType":"mailLog" }
         "paths": ["/var/log/syslog"],
         "fields" : {"logFormat":"debiansyslog","logType":"sysLog"}
        "paths": ["/var/log/auth.log"],
        "fields" : {"logFormat":"debiansyslog","logType":"authLog"}

So my simple understanding of the filebeat.yml file, I tried to put this in:

    # Exim Mail Logs
    - paths:
      - /var/log/exim4/mainlog
      document_type: mailLog

    # syslog
    - paths:
      - /var/log/syslog
      document_type: sysLog

    # authlog
    - paths:
      - /var/log/auth.log
      document_type: authlog

I have my grok and output filters setup to do stuff with logFormat and logType. So without reinventing the wheel, how can I get the same type of information to pump out of filebeats?

(Mark Walkom) #2

Looks like would do what you want.

(system) #3