Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to manage input from multiple beats to centralized Logstash

Tags:

elasticsearch

logstash

kibana-4

logstash-configuration

filebeat

I want to use Elastic Stack for log aggregation for fetching logs from 10 machines. I wish to install Filebeat on 10 machines & grab the logs from each machine and send it to a centralized Logstash server which is installed in a separate machine. In separate machine, Logstash Elasticsearch & Kibana is installed. I require Logstash as I want to do processing & parsing of data after gathering the logs using beats.

As per this architecture, I am facing some issues of identifying and parsing the logs. How to make logstash identify to collect logs from multiple beats server's at once? Can i specify multiple host in logstash-beats plugin so that logstash will parse all the logs from 10 machines at once?

Should i define separate document_type in all the 10 machines as part of Filebeat Configuration which can be later leveraged in Logstash so that I define multiple types (using wildcard - tomcat*) in filter plugin.

Sample Filebeat Configuration for Single Machine Setup:-

################### Filebeat Configuration Example #########################
############################# Filebeat ####################################
filebeat:
  prospectors:
    -
      paths:
        - /location/to/file/catalina.out
      document_type: tomcat1
      scan_frequency: 5s
      input_type: log

output:
  logstash:
    hosts: ["<host-of-the-machine-on-which-logstash-is-installed>:5044"]
  console:
    pretty: true
  shipper:
  logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

This type of setup will be done on all 10 machines wherein value of document_type will only change.

Sample Logstash Configuration for Single Machine:-

input {
    beats   {
        host => "ip/of/machine/1"
        port => 5044
    }
}
filter {
    ........................
    ........................
    ........................
}
output{
    elasticsearch {
        hosts => "localhost:9200"
        index => "logs-%{+YYYY.MM.dd}"
    }
    stdout { codec => rubydebug }
}

More ideas are welcome.

like image 635
Yuvraj Gupta Avatar asked Oct 19 '22 03:10

Yuvraj Gupta

1 Answers

Actually the host parameter for beats input plugin means The IP address to listen on. This is not the ip for filebat and actually not required at all.

So just specifying port to listen must be enough and I think the configuration you show will work. Logstash will listen logs from all 10 machines and will process them.

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-host

like image 180
alpert Avatar answered Oct 21 '22 05:10

alpert
Sign in to Comment

Related questions

How to do a join negative query in ES
Analyze similarities in model data using Elasticsearch and Rails
Ubuntu 15.10 elasticsearch 2.3 Failed to connect to localhost port 9200: Connection refused
ElasticSearch Access-Control-Allow-Headers header is not present
Fail to apply mapping on an RDD on multipe spark nodes through Elasticsearch-hadoop library
Spark app unable to write to elasticsearch cluster running in docker

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!