I was able to get the installation and configuration of filebeats working fine with one exception.
I am trying to set the output of my beats to follow the following logstash-forwarder configuration:
"files":
[
{
"paths" : ["/var/log/exim4/mainlog"],
"fields" : { "logFormat":"exim4","logType":"mailLog" }
},
"paths": ["/var/log/syslog"],
"fields" : {"logFormat":"debiansyslog","logType":"sysLog"}
},
{
"paths": ["/var/log/auth.log"],
"fields" : {"logFormat":"debiansyslog","logType":"authLog"}
}
]
}
So my simple understanding of the filebeat.yml file, I tried to put this in:
prospectors:
# Exim Mail Logs
- paths:
- /var/log/exim4/mainlog
document_type: mailLog
# syslog
- paths:
- /var/log/syslog
document_type: sysLog
# authlog
- paths:
- /var/log/auth.log
document_type: authlog
I have my grok and output filters setup to do stuff with logFormat and logType. So without reinventing the wheel, how can I get the same type of information to pump out of filebeats?