Need to create multiple logstash into the same server to monitor apache and nginx together

(mahmoud samy ) #1

i'm trying to use ELK "Elasticsearch , logstash and kibana" to monitor apache and nginx logs
and centralize logs into kibana.
now I have got logs of apache into logstash and kibana so,
what should i do to get ngnix logs too ??


(Magnus Bäck) #2

An exact answer depends on

  • your exact configuration and
  • whether your Apache logs and Nginx logs look the same (i.e. if they can be parsed with the same filter).

(mahmoud samy ) #3

Ok thanks @magnusbaeck but what about if there are multiple servers i want to monitor and the ELK into another server?
what should i do to monitor all servers "different machines" into a single ELK ?

(Magnus Bäck) #4

Install Filebeat on all machines with logs and get them shipped to the machine where you want to run Logstash.

(mahmoud samy ) #5

@magnusbaeck only filebeat or filebeat with logstash too ??

(Magnus Bäck) #6

That's up to you. I prefer using Filebeat and Logstash together since Logstash has more extensive filtering abilities.

(mahmoud samy ) #7

Really thanks alot @magnusbaeck
Is kibana can monitor apache request number , active workers and idle workers ?? if yse could you tell me how to make it into kibana ?

(Magnus Bäck) #8

Kibana can monitor any data you throw at it. I don't think there's anything built-in for what you're looking for. but check out Metricbeat and its modules.

(mahmoud samy ) #9

@magnusbaeck my metricbeat.yml configuration attached and i followed this steps

but never occurred and no merticbeat* index added to kibana
what should i do ?

###################### Metricbeat Configuration Example #######################

This file is an example configuration file highlighting only the most common

options. The metricbeat.reference.yml file from the same directory contains all the

supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:

#========================== Modules configuration ============================


  • module: system

    • cpu
    • filesystem
    • memory
    • network
    • process
      enabled: true
      period: 10s
      processes: ['.*']
      cpu_ticks: false
  • module: apache
    metricsets: ["status"]
    enabled: true
    period: 1s
    hosts: ["my_host"]

    Glob pattern for configuration loading

    path: ${path.config}/modules.d/*.yml

    Set to true to enable config reloading

    reload.enabled: false

    Period on which files under path should be checked for changes

    #reload.period: 10s

#==================== Elasticsearch template setting ==========================

index.number_of_shards: 1
index.codec: best_compression
#_source.enabled: false

#================================ General =====================================

The name of the shipper that publishes the network data. It can be used to group

all the transactions sent by a single shipper in the web interface.


The tags of the shipper are included in their own field with each

transaction published.

#tags: ["service-X", "web-tier"]

Optional fields that you can specify to add additional information to the



env: staging

#============================== Dashboards =====================================

These settings control loading the sample dashboards to the Kibana index. Loading

the dashboards is disabled by default and can be enabled either by setting the

options here, or by using the -setup CLI flag or the setup command.

#setup.dashboards.enabled: false

The URL from where to download the dashboards archive. By default this URL

has a value which is computed based on the Beat name and version. For released

versions, this URL points to the dashboard archive on the



#============================== Kibana =====================================

Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

This requires a Kibana endpoint configuration.

host: "http://myhost:5601"

Kibana Host

Scheme and port can be left out and will be set to the default (http and 5601)

In case you specify and additional path, the scheme is required: http://localhost:5601/path

IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

#host: "localhost:5601"

#============================= Elastic Cloud ==================================

These settings simplify using metricbeat with the Elastic Cloud (

The setting overwrites the output.elasticsearch.hosts and options.

You can find the in the Elastic Cloud web UI.

The cloud.auth setting overwrites the output.elasticsearch.username and

output.elasticsearch.password settings. The format is <user>:<pass>.


#================================ Outputs =====================================

Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------

Array of hosts to connect to.

hosts: ["localhost:9200"]

Optional protocol and basic auth credentials.

#protocol: "https"
#username: "elastic"
#password: "changeme"

#----------------------------- Logstash output --------------------------------

The Logstash hosts

#hosts: ["localhost:5044"]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

#logging.level: debug

At debug level, you can selectively enable logging only for some components.

To enable all selectors use ["*"]. Examples of other selectors are "beat",

"publish", "service".

#logging.selectors: ["*"]

#============================== Xpack Monitoring ===============================

metricbeat can export internal metrics to a central Elasticsearch monitoring

cluster. This requires xpack monitoring to be enabled in Elasticsearch. The

reporting is disabled by default.

Set to true to enable the monitoring reporter.

#xpack.monitoring.enabled: false

Uncomment to send the metrics to Elasticsearch. Most settings from the

Elasticsearch output are accepted here as well. Any setting that is not set is

automatically inherited from the Elasticsearch output configuration, so if you

have the Elasticsearch output configured, you can simply uncomment the

following line.


(Magnus Bäck) #10

The Metricbeat logs probably contain clues, especially if you crank up the loglevel. If that doesn't help, ask in the Beats category.

(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.