Use ${hostname} in var.paths

Elastic Stack Beats
1

Having 3 nodes in a cluster, enabled elasticsearch module and setting the var.paths to elasticsearch logs path. In these 3 nodes logs are at /var/log/elasticsearch/{hostname}/*.log. Trying to replace the var.paths in all the nodes at once by using /var/log/elasticsearch/{hostname}/*.log

  • module: elasticsearch
    server:
    enabled: true
    var.paths: ["/var/log/elasticsearch/${hostname}/*.log"]

    gc:
    enabled: true
    var.paths: ["/var/log/elasticsearch/${hostname}/gc.log.[0-9]*"]

Can we add the parameter hostname directly or do we have any other option? Please help me out.

2

Filebeat can be parametrized using environment variables in the configuration file: https://www.elastic.co/guide/en/beats/filebeat/6.4/using-environ-vars.html

3

I enabled the elasticsearch module and changed the var.paths as following

  • module: elasticsearch
    server:
    enabled: true
    var.path: ["/var/log/elasticsearch/server1/* .log"]
    gc:
    enabled: true
    var.paths: ["/var/log/elasticsearch/server1/gc.log.[0-9]*"]

    audit:
    enabled: true
    var.paths: ["/var/log/elasticsearch/server1/*_access.log"]

    slowlog:
    enabled: true
    var.paths: ["/var/log/elasticsearch/server1/*_index_search_slowlog.log"]

    deprecation:
    enabled: true
    var.paths: ["/var/log/elasticsearch/server1/*_deprecation.log"]

In the filebeat logs configured path for server logs is showing as "/var/log/elasticsearch/*.log" its considering the default path why?

2018-11-07T15:45:20.339-0500 INFO crawler/crawler.go:72 Loading Inputs: 1
2018-11-07T15:45:20.344-0500 INFO log/input.go:138 Configured paths: [/var/log/elasticsearch/server1/* _access.log]
2018-11-07T15:45:20.345-0500 INFO log/input.go:138 Configured paths: [/var/log/elasticsearch/server1/* _deprecation.log]
2018-11-07T15:45:20.390-0500 INFO log/input.go:138 Configured paths: [/var/log/elasticsearch/server1/gc.log.[0-9]* ]
2018-11-07T15:45:20.391-0500 INFO log/input.go:138 Configured paths: [/var/log/elasticsearch/ * .log]
2018-11-07T15:45:20.392-0500 INFO log/input.go:138 Configured paths: [/var/log/elasticsearch/server1/* _index_search_slowlog.log]
2018-11-07T15:45:23.282-0500 INFO log/input.go:138 Configured paths: [/var/log/logstash/logstash-plain*.log]
2018-11-07T15:45:23.283-0500 INFO log/input.go:138 Configured paths: [/var/log/logstash/logstash-slowlog-plain*.log]
2018-11-07T15:45:23.323-0500 INFO log/input.go:138 Configured paths: [/var/log/auth.log* /var/log/secure*]
2018-11-07T15:45:23.364-0500 INFO log/input.go:138 Configured paths: [/var/log/messages* /var/log/syslog*]
2018-11-07T15:45:23.364-0500 INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 0

4

can anyone help me with this?

5

It's possible your configuration is incorrect. Could you please format it using </>, so whitespaces are preserved?

6

Works, Thanks!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.