Elastic
Start free trial Contact Sales
Loading

Filebeat quick start: installation and configuration

This guide describes how to get started quickly with log collection. You’ll learn how to:

  • install Filebeat on each system you want to monitor
  • specify the location of your log files
  • parse log data into fields and send it to {es}
  • visualize the log data in {kib}
Filebeat System dashboard

Before you begin

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it.

To get started quickly, spin up a deployment of our hosted Elasticsearch Service. The Elasticsearch Service is available on AWS, GCP, and Azure. Try it out for free.

To install and run Elasticsearch and Kibana, see Installing the Elastic Stack.

Install Filebeat on all the servers you want to monitor.

To download and install Filebeat, use the commands that work with your system:

Version 9.0.0-beta1 of Filebeat has not yet been released.

Version 9.0.0-beta1 of Filebeat has not yet been released.

Version 9.0.0-beta1 of Filebeat has not yet been released.

Version 9.0.0-beta1 of Filebeat has not yet been released.

Version 9.0.0-beta1 of Filebeat has not yet been released.

The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.

Connections to Elasticsearch and Kibana are required to set up Filebeat.

Set the connection information in filebeat.yml. To locate this configuration file, see Directory layout.

Specify the cloud.id of your Elasticsearch Service, and set cloud.auth to a user who is authorized to set up Filebeat. For example:

cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "filebeat_setup:{pwd}" 1
  1. This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

  1. Set the host and port where Filebeat can find the Elasticsearch installation, and set the username and password of a user who is authorized to set up Filebeat. For example:

    output.elasticsearch:
  hosts: ["https://myEShost:9200"]
  username: "filebeat_internal"
  password: "{pwd}" 1
  ssl:
    enabled: true
    ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" 2
    1. This example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
    2. This example shows a hard-coded fingerprint, but you should store sensitive values in the secrets keystore. The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start Elasticsearch for the first time, security features such as network encryption (TLS) for Elasticsearch are enabled by default. If you are using the self-signed certificate generated by Elasticsearch when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on Elasticsearch start up logs, or you can refer to connect clients to Elasticsearch documentation for other options on retrieving it. If you are providing your own SSL certificate to Elasticsearch refer to Filebeat documentation on how to setup SSL.

  2. If you plan to use our pre-built Kibana dashboards, configure the Kibana endpoint. Skip this step if Kibana is running on the same host as Elasticsearch.

    setup.kibana:
  host: "mykibanahost:5601" 1
  username: "my_kibana_user" <2> 23
  password: "{pwd}"
    1. The hostname and port of the machine where Kibana is running, for example, mykibanahost:5601. If you specify a path after the port number, include the scheme and port: http://mykibanahost:5601/path.
    2. The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Filebeat uses the username and password specified for the Elasticsearch output.
    3. To use the pre-built Kibana dashboards, this user must be authorized to view dashboards or have the kibana_admin built-in role.

To learn more about required roles and privileges, see Grant users access to secured resources.

Note

You can send data to other outputs, such as Logstash, but that requires additional configuration and setup.

There are several ways to collect log data with Filebeat:

  • Data collection modules — simplify the collection, parsing, and visualization of common log formats
  • ECS loggers — structure and format application logs into ECS-compatible JSON
  • Manual Filebeat configuration

  1. Identify the modules you need to enable. To see a list of available modules, run:

filebeat modules list
```

filebeat modules list
```

./filebeat modules list
```

./filebeat modules list
```

PS > .\filebeat.exe modules list
```

filebeat modules enable nginx
```

filebeat modules enable nginx
```

./filebeat modules enable nginx
```

./filebeat modules enable nginx
```

PS > .\filebeat.exe modules enable nginx
```

filebeat setup -e
```

filebeat setup -e
```

./filebeat setup -e
```

./filebeat setup -e
```

PS > .\filebeat.exe setup -e
```

sudo service filebeat start
Note

If you use an init.d script to start Filebeat, you can’t specify command line flags (see Command reference). To specify flags, start Filebeat in the foreground.

Also see Filebeat and systemd.

sudo service filebeat start
Note

If you use an init.d script to start Filebeat, you can’t specify command line flags (see Command reference). To specify flags, start Filebeat in the foreground.

Also see Filebeat and systemd.

sudo chown root filebeat.yml 1
sudo chown root modules.d/nginx.yml 1
sudo ./filebeat -e
  1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run Filebeat with --strict.perms=false specified. See Config File Ownership and Permissions.
sudo chown root filebeat.yml 1
sudo chown root modules.d/nginx.yml 1
sudo ./filebeat -e
  1. You’ll be running Filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run Filebeat with --strict.perms=false specified. See Config File Ownership and Permissions.
PS C:\Program Files\filebeat> Start-Service filebeat

By default, Windows log files are stored in C:\ProgramData\filebeat\Logs.

Filebeat should begin streaming events to Elasticsearch.

Filebeat comes with pre-built Kibana dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the setup command.

To open the dashboards:

  1. Launch Kibana:

    <div class="tabs" data-tab-group="host">
    <div role="tablist" aria-label="Open Kibana">
    <button role="tab"
    aria-selected="true"
    aria-controls="cloud-tab-open-kibana"
    id="cloud-open-kibana">
    Elasticsearch Service
    </button>
    <button role="tab"
    aria-selected="false"
    aria-controls="self-managed-tab-open-kibana"
    id="self-managed-open-kibana"
    tabindex="-1">
    Self-managed
    </button>
    </div>
    <div tabindex="0"
    role="tabpanel"
    id="cloud-tab-open-kibana"
    aria-labelledby="cloud-open-kibana">

    1. Log in to your Elastic Cloud account.
    2. Navigate to the Kibana endpoint in your deployment.

    </div>
    <div tabindex="0"
    role="tabpanel"
    id="self-managed-tab-open-kibana"
    aria-labelledby="self-managed-open-kibana"
    hidden="">
    Point your browser to http://localhost:5601, replacing localhost with the name of the Kibana host.

    </div>
    </div>

  2. In the side navigation, click Discover. To see Filebeat data, make sure the predefined filebeat-* data view is selected.

    Tip

    If you don’t see data in Kibana, try changing the time filter to a larger range. By default, Kibana shows the last 15 minutes.

  3. In the side navigation, click Dashboard, then select the dashboard that you want to open.

The dashboards are provided as examples. We recommend that you customize them to meet your needs.

What’s next?

Now that you have your logs streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data.

  1. Ingest data from other sources by installing and configuring other Elastic Beats:

    Elastic Beats To capture
    Metricbeat Infrastructure metrics
    Winlogbeat Windows event logs
    Heartbeat Uptime information
    APM Application performance metrics
    Auditbeat Audit events

  2. Use the Observability apps in Kibana to search across all your data:

    Elastic apps Use to
    Metrics app Explore metrics about systems and services across your ecosystem
    Logs app Tail related log data in real time
    Uptime app Monitor availability issues across your apps and services
    APM app Monitor application performance
    SIEM app Analyze security events