Query Regarding Filebeat

Akhilesh-Tiwari · September 7, 2018, 7:51am

HI @magnusbaeck and  @elastic  

My Requirement is, Reading the logs from filebeat in windows System and push that logs
into a different windows system's File. without using logstash and elasticsearch. 

    is it possible or not?
    if it is possible then how?

I have already done this for same windows system but stuck in pushing logs in different windows.
 can you please suggest me for that.

filebeat.yml is-

- input_type: log 

  paths:
    - C:/WalletLogs/Info.log 
  include_lines: ["<cap_identifier: cap-c0@lition>"] 

output:
  file:
    path: "C:/ProgramData/filebeat/logs"
    filename: Cap_Logs
    rotate_every_kb: 10000
    number_of_files: 7

then what should i need to add for pushing logs into different windows system.

kvch · September 7, 2018, 10:42am

You could write the output file to a network volume shared by the host of Filebeat and the output machine. Once you mounted the volume, set output.file.path to a path on the volume and run Filebeat as always.

Akhilesh-Tiwari · September 7, 2018, 12:12pm

Hi @kvch,

Is it possible to send logs without using shared network volume, because i have to stored output logs into a different target machines.

kvch · September 7, 2018, 12:16pm

No, filebeat cannot forward events to a remote machine and write to file there.

Akhilesh-Tiwari · September 7, 2018, 12:28pm

okk, Thanks a lot for confirmation.

Akhilesh-Tiwari · September 7, 2018, 1:35pm

Hi @kvch @elastic

can you suggest me what lines need to add in the filebeat.yml to put the logs into network VOLUME.
"P:/Public/FileBeat_Cap_Logs" is the path of my Network Volume and my filebeat.yml is-

- input_type: log 

  paths:
    - C:/WalletLogs/Info.log 
  include_lines: ["<cap_identifier: cap-c0@lition>"] 

output:
  file:
    path: "P:/Public/FileBeat_Cap_Logs"
    filename: Cap_Logs
    rotate_every_kb: 10000
    number_of_files: 7
    permissions: 0600

But it is still not pushing logs and create any file into network volume.

kvch · September 8, 2018, 12:32am

Is it possible you have already sent the events from Info.log? Filebeat does not reread already encountered events.
If not, could you share the debug logs of Filebeat (filebeat -e -d "*")?

Akhilesh-Tiwari · September 10, 2018, 7:22am

HI @elastic @kvch,

In my info.log there are multiple transaction in a second so filebeat reads continuously and push data into local(same server) but when i am trying to push data in network shared drive, there is no any effect i mean neither logs are pushing and not create any file into network volume.

is it possible to Sending the logs from Filebeat to a shared network network volume?
if yes then how please suggest me.

my configuration file is:

filebeat.yml

- input_type: log 

  paths:
    - C:/WalletLogs/Info.log 
  include_lines: ["<cap_identifier: cap-c0@lition>"] 

output:
  file:
    path: "P:/Public/FileBeat_Cap_Logs"
    filename: Cap_Logs
    rotate_every_kb: 10000
    number_of_files: 7
    permissions: 0600

P:/Public/FileBeat_Cap_Logs" is the path of my Shared Network Volume directory.

kvch · September 10, 2018, 10:58am

It is possible to write logs to a shared volume.
Could you please share your debug logs to see what is happening in your Filebeat instance?

Akhilesh-Tiwari · September 10, 2018, 1:31pm

Hi @kvch @elastic @

The issue has been resolved, issue was in permission.
Thanks a lot for support.

I have another issue-
after pushing data into Network Volume some decoding in the logs.

my original log is-

<Log_Created_Date: 2018/09/10 19:08:37> <Log_Level: INFO> <Class_Name: org.appfuse.MyAuthenticationSuccessHandler> <Tab_Name: User Tracker Details> <User_Name: c-yogitaw> <Action: Login Success> <LoginTime: 2018-09-10 19:08:37.62> <Ip Address: 0:0:0:0:0:0:0:1> <Platform: Windows> <Browser: CHROME> <SessionId: FA89E5415FFB82CB50000327D2C2D299> <TrackerId: 2176801> <crisil_cap_identifier: crisil_cap-c0@lition>

After pushing log into Network Volume:

"\u003cLog_Created_Date: 2018/09/10 19:08:37\u003e \u003cLog_Level: INFO\u003e \u003cClass_Name: org.appfuse.MyAuthenticationSuccessHandler\u003e \u003cTab_Name: User Tracker Details\u003e \u003cUser_Name: c-yogitaw\u003e \u003cAction: Login Success\u003e \u003cLoginTime: 2018-09-10 19:08:37.62\u003e \u003cIp Address: 0:0:0:0:0:0:0:1\u003e \u003cPlatform: Windows\u003e \u003cBrowser: CHROME\u003e \u003cSessionId: FA89E5415FFB82CB50000327D2C2D299\u003e \u003cTrackerId: 2176801\u003e \u003ccrisil_cap_identifier: crisil_cap-c0@lition\u003e"

Here i think "<" Decoded in "\u003c" and
">" Decoded in "\u003e" .

what is the solution for this issue.
I want original log after pushing in network volume.

Can you suggest me please.

system · October 8, 2018, 1:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
FIlebeat from a Windows Network Share Beats filebeat	8	9211	July 5, 2017
Sending logs from filebeat(WIndows) to Logstash and Elasticsearch(RHEL) Beats windows , filebeat	6	1533	May 23, 2023
Filebeat on windows not reading log file Beats filebeat	2	1142	November 22, 2019
Windows log forwarding using filebeat Beats filebeat	11	4951	March 1, 2017
I want to send logs from a windows machine to windows elk server Beats filebeat	2	2946	August 3, 2016

Query Regarding Filebeat

Related topics