Install And Configure Filebeat On Centos 7

In my previous article , I have explained How to setup ELK stack on Ubuntu.

In this guide , I will show how to install and configure Filebeat on centos 7, Where our applications or web servers are running and then we will configure filebeat to send logs to Logstash which will then transfer the logs to Elasticsearch.

What Is Filebeat?

Filebeat is a lightweight shipper for forwarding and centralizing log data.

It will be installed as an agent on your servers where your application or web servers are running.

Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.

Installing Filebeat On Centos 7

Before installing filebeat in the server , We need to copy the logstash certificate which we have generated during the Logstash setup.

The Logstash certificate will be stored under /etc/logstash/ssl folder.

using the scp command , We will copy the certificate from the ELK stack server.

scp - r root@elk-stack:/etc/logstash/ssl/logstash-forwarder.crt .

Next , We will add the elasticsearch repo and install the filebeat package.

You can also download the specific version of filebeat from Elastic Official Repository

First We need to download the filebeat rpm using the below command.

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.10-x86_64.rpm

And then install the downloaded package on the system,

sudo rpm -vi filebeat-6.8.10-x86_64.rpm

After the package is installed on the system , The above installation will create a filebeat folder under /etc directory.

Copy the logstash certificate to /etc/filebeat folder.

Then go to /etc/filebeat folder and open the filebeat.yml file ,remove the exising configuration and paste the below configuration.

filebeat.inputs:
- type: log 
  enabled: true 
  paths: 
     - /var/log/nginx/error.log
output.logstash:
  hosts: ["ELK-SERVER-IP:5443"] 

Save and Close the file.

In this example , I am sending Nginx error logs from Filebeat to Logstash.

Once the Logstash collects the data from filebeat , It will be then sent to Elasticsearch.

To check the version of filebeat installed on the system, Run the below command.

filebeat version

Lets start the Filebeat service and enable to start on system boot.

sudo systemctl start filebeat
sudo systemctl enable filebeat

To check the status of the filebeat,

sudo systemctl status filebeat

To check the logs of the filebeat ,

sudo tail -f /var/log/filebeat/filebeat

We have successfully installed and configured filebeat and for example , We have configured filebeat to send Nginx error Logs to logstash.

Conclusion

Now that We have a complete Log management tool called ELK STACK which the agent called FILEBEAT to send the Logs to ELK stack.

Hope you find it helpful. Thanks for reading this article.

Please do check out my other articles.