Where do I find proper syntax for configuring logstash?

I have a server setup with ElasticSearch and Logstash. My plan is to have many remote servers with Filebeat installed and configured to send to this server. Currently, I am trying to get a single node setup so I know how to move forward, however, I cannot seem to get my index to show up. All I want is apache error logs and nothing else.

On the remote Filebeat server, I have these changes in my /etc/filebeat/filebeat.yml:

    # ============================== Filebeat inputs ===============================


    # Each - is an input. Most options can be set at the input level, so
    # you can use different inputs for various configurations.
    # Below are the input specific configurations.

    - type: log

      # Change to true to enable this input configuration.
      #enabled: false
      enabled: true

      # Paths that should be crawled and fetched. Glob based paths.
        -  /var/log/apache2/*.error.log

    # Set to true to enable config reloading
      reload.enabled: true

      # Period on which files under path should be checked for changes
      reload.period: 30s

#     ------------------------------ Logstash Output -------------------------------
      # The Logstash hosts
      hosts: [""]

Now, on my ElasticSearch/Logstash server, I created a directory /etc/logstash/patterns.d/, and in that directory, I placed a file apache-error. It contains:

APACHE_ERROR_LOG \[%{APACHE_ERROR_TIME:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}

In /etc/logstash/conf.d/ I have a file apache.conf. It's contents are:

    input {
        beats {
            port => "5044"
     filter {
        grok {
          patterns_dir => [ "/etc/logstash/patterns.d" ]
          match => [ "message", "%{APACHE_ERROR_LOG}" ]
        geoip {
            source => "clientip"
    output {
        elasticsearch {
          hosts => ["localhost:9200"]
          user => ["myadminuser"]
          password => ["myadminpass"]
          index => "apache-error-%{+YYYY.MM.dd}"
    stdout { codec => rubydebug }

I am completely new to this, and that apache-error config was taken directory from this Stack Overflow question. Where can I find documentation that tells me the proper syntax for what I'm looking at in that file? I may not need all of that, and would like to learn how to fine tune to my needs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.