Multiple filebeats to a server ELK in docker

I'm new to elk and i want to and I want to connect my elk stack with filebeat in docker, which I already have created in docker and it is creating the records for me, because I can see them in kibana.
Now what I want is to connect multiple servers with apache, which are going to be the clients, in this filebeat that I previously said was in docker, and it works correctly.
I guess I have to install filebeat on the client and connect it to the server, this on every client I want to have, but how do I configure the filebeat.yml file?
Can I connect them even though one of the filebeats is in docker and the other is not?
about the server, do I just have to modify the filebeat.yml file? the file docker-compose?

I have looked at several guides but it has not been clear to me.

Configuration files (docker,filebeat):

filebeat.docker.yml is

    path: ${path.config}/modules.d/*.yml
    reload.enabled: true
    module: nginx
    module: apache2

    - type: docker
      hints.enabled: true

- type: log
 - 'var/lib/docker/containers/*/*.log'
 json.message_key: log
 json.keys_under_root: true
- add_docker_metadata: ~

  hosts: '${ELASTICSEARCH_HOSTS:<my ip>}'

docker-compose.yml is

version: '2.2'


    container_name: elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
        soft: -1
        hard: -1
      - esdata1:/usr/share/elasticsearch/data
      - 9200:9200

    image: logstash
    - elasticsearch
    - ./:/config-dir
    command: logstash -f /config-dir/logstash.conf
    - elasticsearch

    container_name: kibana
      ELASTICSEARCH_URL: "http://elasticsearch:9200"
      - 5601:5601
      - elasticsearch

    driver: local


Filebeat will need access to the apache log files so as to collect them. So you need somehow to make apache's logs available to filebeat.

How is apache running? As a container or natively on the host?
If it runs natively on the host then you can just mount its logging directory inside Filebeat container and point filebeat to collect from this directory.


Hi, thanks for your response

I was wrong about Filebeat, i only have it on my client.

Yes, as I have explained I have ELK running in a container and this one, on a server. I want to connect it with smultiple clients so that they collect some Apache logs.
On the client I have installed filebeat, and I have a connection with the server, and with logstash because it listens for telnet on port 5044
But kibana, it does not collect the logs that I indicate in the filebeat.yml file of the client
I don't know if I have to change something in the server's logstash.conf file, but I'll leave you as I have both files, in case it can help you
To answer your answer, apache is in the client

If you need more conf files, i would show whatever you need
Thank you very much, regards



# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
    #- /path/to/log-1.log
  #input_type: log
  #document_type: syslog
    - /server/www/html/miweb/logs/*.log

# filestream is an experimental input. It is going to replace log input in the future.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
    - /server/www/html/miweb/logs/*.log
    #- c:\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

# ============================== Filebeat modules ==============================

  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ------------------------------ Logstash Output -------------------------------
  # The Logstash hosts
  hosts: [""]
  #bulk_max_size: 1024
  #index: filebeat
   # certificate_authorities: ["/etc/pki/tls/certs/logstash-beats.crt"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~


input {
        beats {
                port => 5044

        tcp {
                port => 5000

## Add your filters / logstash plugins configuration here

output {
  if filebeat == "" {
        elasticsearch {
                hosts => "localhost:9200"
                user => "elastic"
                password => "changeme"
                ecs_compatibility => disabled
                manage_template => false
                index => "logsclient-%{+YYYY.MM.dd}"
                document_type => "%{[@metadata][type]}"

Ok, let's isolate the different pieces:

  1. Can you run filebeat in debug mode and check if logs are collected from apache logs' directory? Btw, do you enable apache module? In the config you sent (filebeat.yml) it's not clear if you actually enable any modules.
  2. If filebeat is properly configured and is able to collect logs from apache then we need to check if it is able to send the events to Logstash. In this you will need to check in Filebeat's/Logstash's logs to check if any errors occur (mostly network errors).

Let's start with these steps and keep iterating on this.

I think the fault is in the first piece, because I can't run filebeat in debug mode,it appears:

filebeat -e

filebeat: the order was not found


filebeat -e -c filebeat.yml

filebeat: the order was not found

Is this the configuration for modules?

# ============================== Filebeat modules ==============================

  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml
  - module: apache
  - module: system

  # Set to true to enable config reloading
  reload.enabled: false

However, it seems like filebeat is not a service,in fact,its showing me like here

sudo service filebeat restart

Failed to restart filebeat.service: Unit filebeat.service not found.

sudo service filebeat status

   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

To finish, may can help us that my installations, were made with this

curl -L -O

ELK in docker:

git clone


Hi again!

I'm little bit confused with how you run Filebeat. Is it a linux service, a single binary or running in a container? Could you please provide full information of your setup/environment?

Hi !

I thought that by installing this

curl -L -O

I would install the service and I could connect the filebeat.yml file that it gives me, with the elk server, right?

In the container, which is on the server, there is only the elk stack.
In the client, there are the logs, and the filebeat that i installed.

Ok, so you follow Linux version of the installation guide. I'm afraid this does not install it as a linux service. RPM and DEB packages do install it as a linux service , since the package is actually an installer script and creates the linux service in your system. With your approach you just unzip the artifacts' folder of Filebeat.

So, how you start Filebeat? Does ./filebeat -e work if you execute it inside the "inzipped" directory?

Ok, so I have done the installation wrong, right?
I installed it in home, unzipped it, and entered the folder and edited
the filebeat.yml file that was inside.
So, I already unzipped before

If I do ./filebeat inside the folder I get this

-bash: ./filebeat cannot execute binary file: Exec format error

Hmm, on what machine you try to execute it? Is it a linux-x86_64?

In Ubuntu Server 16.04.4 LTS. About if is -x86_64, it seems that i could run x32 and x64 when i do lscpu on the terminal. I hope this help you

Hi again!
I tried with another ubuntu server and now is working this

./filebeat -e

What could i do for the next step? Thanks

ok let's take it from Multiple filebeats to a server ELK in docker - #4 by ChrsMark. Can you enable apache module and run Filebeat in debug mode?

Hi again.
I must apologize for being so tiresome.

My filebeat can collect files from the apaches,the logs works without errors,also i can telnet {ip:server} {port:5044} properly...

I think I'm about to finish, and the problem was in the logs on logstash.

I run docker logs -f “my logstash docker container”,and the error is
docker logs -f docker-elk_logstash_1

2021-02-12T10:02:00,199][WARN ][logstash.outputs.elasticsearch][main][4adfb87a563351eeacd0d5f84a3d4889120060933a3dd82a5ba02ab713b550c3] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x3463c3bf>], :response=>{"index"=>{"_index"=>"logstash", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"index_closed_exception", "reason"=>"closed", "index_uuid"=>"jjnQtLBjS9qYgWjlBL9lhw", "index"=>"logstash-2021.02.10-000001"}}}}

Thanks for your help again

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.