Wowza logs => filebeat => kibana

I'm looking into getting our wowza logs in kibana. One of my predecessors has set up our ELK stack. I started filebeat, because it wasn't running on the server. I do see exim4 log entry's in kibana, but nothing related to wowza.

This is my filebeat.yml
I only added the last two entries, related to wowza.

<code>
#=========================== Filebeat prospectors =============================

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - "/var/log/auth.log"
  fields:
     log_type: authlog

- type: log
  enabled: true
  paths:
    - "/var/log/exim4/mainlog"
  fields:
     log_type: eximlog

- type: log
  enabled: true
  paths:
    - "/var/log/apache2/*https_access.log"
  fields:
     log_type: accesshttpsv1

- type: log
  enabled: true
  paths:
    - "/var/log/apache2/*http_access.log"
  fields:
     log_type: accesshttpv1

- type: log
  enabled: true
  paths:
    - "/var/log/nginx/*https_access.log"
  fields:
     log_type: accessNGINXhttpsv1

- type: log
  enabled: true
  paths:
    - "/var/log/nginx/*http_access.log"
  fields:
     log_type: accessNGINXhttpv1

- type: log
  enabled: true
  paths:
    - "/var/log/haproxy.log"
  fields:
     log_type: haproxylog

- type: log
  enabled: true
  paths:
    - "/usr/local/WowzaStreamingEngine/logs/wowzastreamingengine_access.log"
  fields:
     application: "wowza"

- type: log
  enabled: true
  paths:
    - "/usr/local/WowzaStreamingEngine/logs/wowzastreamingengine_error.log"
  fields:
     application: "wowza"


#================================ Outputs =====================================

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["SOMEIPADDRESS:5044"]
  #bulk_max_size: 1024

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  #certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  ssl.enabled: false

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

</code>

Hey @Jozz, welcome to discuss :slight_smile:

How were these logs being collected before? using logstash?

There are some things that you could check:

  • Wowza is actually writing logs to these files.
  • Filebeat has permissions to read these files.

Please also check in filebeat logs what harvesters it is starting, and if there was any error.