Need to migrate a logstash shipper config to filebeat config


#1

Below is the config I am currently using with logstash to ship logs to the logstash processing servers. I haven't been able to get the below working in the filebeat.yml config on a test centos 7 server (though I imagine it would be the same for centos 6 or 6.5 servers as well). Does anyone know what the filebeat.yml would look like for the below? Please also note I changed the names of the logs and services and such but the point is I don't know the syntax needed to make the below work.

input {

file {
type => "SomeServices"
add_field => { "index" => "test" }
path => [ "/opt/apache-tomcat-7.0.59/logs/SomeServices-rolling.log" ]
sincedb_path => "/var/log/logstash/.sincedb_SomeServices"
sincedb_write_interval => 5
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}

file {
type => "SomeServices-WOW-DM"
add_field => { "index" => "test" }
path => [ "/opt/apache-tomcat-7.0.59/logs/SomeServices-WOW-DM-rolling.log" ]
sincedb_path => "/var/log/logstash/.sincedb_SomeServices-WOW-DM"
sincedb_write_interval => 5
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}

file {
type => "SomeServicesSup"
add_field => { "index" => "test" }
path => [ "/opt/apache-tomcat-7.0.59/logs/SomeServicesSup-rolling.log" ]
sincedb_path => "/var/log/logstash/.sincedb_SomeServicesSup"
sincedb_write_interval => 5
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}

}


(ruflin) #2

Best is to first have a look at the filebeat getting started guide:

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration.html

For the multiline stuff, you find more details here:

https://www.elastic.co/guide/en/beats/filebeat/1.2/multiline-examples.html#_examples_of_multiline_configuration


(system) #3

This topic was automatically closed after 21 days. New replies are no longer allowed.