Where do I find proper syntax for configuring logstash?

csheridan · October 6, 2020, 4:03pm

I have a server setup with ElasticSearch and Logstash. My plan is to have many remote servers with Filebeat installed and configured to send to this server. Currently, I am trying to get a single node setup so I know how to move forward, however, I cannot seem to get my index to show up. All I want is apache error logs and nothing else.

On the remote Filebeat server, I have these changes in my /etc/filebeat/filebeat.yml:

    # ============================== Filebeat inputs ===============================

    filebeat.inputs:

    # Each - is an input. Most options can be set at the input level, so
    # you can use different inputs for various configurations.
    # Below are the input specific configurations.

    - type: log

      # Change to true to enable this input configuration.
      #enabled: false
      enabled: true

      # Paths that should be crawled and fetched. Glob based paths.
      paths:
        -  /var/log/apache2/*.error.log


    # Set to true to enable config reloading
      reload.enabled: true

      # Period on which files under path should be checked for changes
      reload.period: 30s

#     ------------------------------ Logstash Output -------------------------------
    output.logstash:
      # The Logstash hosts
      hosts: ["192.168.64.50:5044"]

Now, on my ElasticSearch/Logstash server, I created a directory /etc/logstash/patterns.d/, and in that directory, I placed a file apache-error. It contains:

APACHE_ERROR_TIME %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHE_ERROR_LOG \[%{APACHE_ERROR_TIME:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}

In /etc/logstash/conf.d/ I have a file apache.conf. It's contents are:

    input {
        beats {
            port => "5044"
        }
    }
     filter {
        grok {
          patterns_dir => [ "/etc/logstash/patterns.d" ]
          match => [ "message", "%{APACHE_ERROR_LOG}" ]
        }
        geoip {
            source => "clientip"
        }
    }
    output {
        elasticsearch {
          hosts => ["localhost:9200"]
          user => ["myadminuser"]
          password => ["myadminpass"]
          index => "apache-error-%{+YYYY.MM.dd}"
        }
    stdout { codec => rubydebug }
    }

I am completely new to this, and that apache-error config was taken directory from this Stack Overflow question. Where can I find documentation that tells me the proper syntax for what I'm looking at in that file? I may not need all of that, and would like to learn how to fine tune to my needs.

system · November 3, 2020, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set cutom index in filebeat Beats filebeat	4	248	June 16, 2022
Logstash not sending logs to custom elasticsearch index Logstash	2	292	December 10, 2018
Filebeat cannot send output to logstash Beats filebeat	8	9777	August 7, 2019
How to configure different machine servers log in filebeat and send it to logstash Beats filebeat	8	4217	February 4, 2019
Filebeat V7.4.1 output.elasticsearch not writing to defined index "logstash" Beats filebeat	6	618	November 26, 2019

Where do I find proper syntax for configuring logstash?

Related topics