|
4 | 4 |
|
5 | 5 | [Filebeat](https://www.elastic.co/beats/filebeat) is a lightweight shipper for forwarding and centralizing log data. Once installed as an agent, it monitors the log files or locations you specify, collects log events, and forwards them for indexing, usually to Elasticsearch or Logstash. |
6 | 6 |
|
7 | | -Now, Manticore also supports the use of Filebeat as processing pipelines. This allows the collected and transformed data to be sent to Manticore just like to Elasticsearch. Currently, all the versions >= 7.10 are supported. |
| 7 | +Now, Manticore also supports the use of Filebeat as processing pipelines. This allows the collected and transformed data to be sent to Manticore just like to Elasticsearch. Currently, All versions to 9.0 are fully supported. |
8 | 8 |
|
9 | 9 | ## Filebeat configuration |
10 | 10 |
|
11 | | -Below is a Filebeat config to work with our example dpkg log: |
| 11 | +Configuration varies slightly depending on which version of Filebeat you're using. |
| 12 | + |
| 13 | +### Configuration for Filebeat 7.17 - 8.0 |
| 14 | + |
| 15 | +Note that Filebeat versions higher than 8.10 have the output compression feature enabled by default. That is why the `compression_level: 0` option must be added to the configuration file to provide compatibility with Manticore: |
12 | 16 |
|
13 | 17 | ``` |
14 | 18 | filebeat.inputs: |
15 | | -- type: filestream |
16 | | - id: example |
| 19 | +- type: log |
| 20 | + enabled: true |
17 | 21 | paths: |
18 | | - - /var/log/dpkg.log |
| 22 | + - /var/log/dpkg.log |
| 23 | + close_eof: true |
| 24 | + scan_frequency: 1s |
19 | 25 |
|
20 | 26 | output.elasticsearch: |
21 | 27 | hosts: ["http://localhost:9308"] |
22 | | - index: "dpkg_log" |
| 28 | + index: "dpkg_log" |
| 29 | + compression_level: 0 |
| 30 | +
|
| 31 | +setup.ilm.enabled: false |
| 32 | +setup.template.enabled: false |
| 33 | +setup.template.name: "dpkg_log" |
| 34 | +setup.template.pattern: "dpkg_log" |
| 35 | +``` |
| 36 | + |
| 37 | +### Configuration for Filebeat 8.1 - 8.10 |
| 38 | + |
| 39 | +For versions 8.1 through 8.10, you need to add the allow_older_versions option: |
| 40 | + |
| 41 | +``` |
| 42 | +filebeat.inputs: |
| 43 | +- type: log |
| 44 | + enabled: true |
| 45 | + paths: |
| 46 | + - /var/log/dpkg.log |
| 47 | + close_eof: true |
| 48 | + scan_frequency: 1s |
| 49 | +
|
| 50 | +output.elasticsearch: |
| 51 | + hosts: ["http://localhost:9308"] |
| 52 | + index: "dpkg_log" |
| 53 | + compression_level: 0 |
23 | 54 | allow_older_versions: true |
24 | 55 |
|
25 | | -setup.ilm: |
26 | | - enabled: false |
| 56 | +setup.ilm.enabled: false |
| 57 | +setup.template.enabled: false |
| 58 | +setup.template.name: "dpkg_log" |
| 59 | +setup.template.pattern: "dpkg_log" |
| 60 | +``` |
| 61 | + |
| 62 | +### Configuration for Filebeat 8.11 - 8.18 |
| 63 | + |
| 64 | +From version 8.11, output compression is enabled by default, so you must explicitly set `compression_level: 0` for compatibility with Manticore: |
| 65 | + |
| 66 | +``` |
| 67 | +filebeat.inputs: |
| 68 | +- type: log |
| 69 | + enabled: true |
| 70 | + paths: |
| 71 | + - /var/log/dpkg.log |
| 72 | + close_eof: true |
| 73 | + scan_frequency: 1s |
| 74 | +
|
| 75 | +output.elasticsearch: |
| 76 | + hosts: ["http://localhost:9308"] |
| 77 | + index: "dpkg_log" |
| 78 | + compression_level: 0 |
| 79 | + allow_older_versions: true |
27 | 80 |
|
28 | | -setup.template: |
29 | | - name: "dpkg_log" |
30 | | - pattern: "dpkg_log" |
| 81 | +setup.ilm.enabled: false |
| 82 | +setup.template.enabled: false |
| 83 | +setup.template.name: "dpkg_log" |
| 84 | +setup.template.pattern: "dpkg_log" |
31 | 85 | ``` |
32 | 86 |
|
33 | | -### Configuration for Filebeat versions >= 8.11 |
| 87 | +### Configuration for Filebeat 9.0 |
34 | 88 |
|
35 | | -Note that Filebeat versions higher than 8.10 have the output compression feature enabled by default. That is why the `compression_level: 0` option must be added to the configuration file to provide compatibility with Manticore: |
| 89 | +Filebeat 9.0 introduces a major architecture change, replacing the log input type with filestream. Here's the required configuration: |
36 | 90 |
|
37 | 91 | ``` |
38 | 92 | filebeat.inputs: |
39 | 93 | - type: filestream |
40 | | - id: example |
| 94 | + id: dpkg-log-input |
| 95 | + enabled: true |
41 | 96 | paths: |
42 | | - - /var/log/dpkg.log |
| 97 | + - /var/log/dpkg.log |
| 98 | + prospector.scanner.check_interval: 1s |
| 99 | + close.on_eof: true |
43 | 100 |
|
44 | 101 | output.elasticsearch: |
45 | 102 | hosts: ["http://localhost:9308"] |
46 | | - index: "dpkg_log" |
47 | | - allow_older_versions: true |
| 103 | + index: "dpkg_log" |
48 | 104 | compression_level: 0 |
| 105 | + allow_older_versions: true |
49 | 106 |
|
50 | | -setup.ilm: |
51 | | - enabled: false |
52 | | -
|
53 | | -setup.template: |
54 | | - name: "dpkg_log" |
55 | | - pattern: "dpkg_log" |
| 107 | +setup.ilm.enabled: false |
| 108 | +setup.template.enabled: false |
| 109 | +setup.template.name: "dpkg_log" |
| 110 | +setup.template.pattern: "dpkg_log" |
56 | 111 | ``` |
57 | 112 |
|
58 | 113 | ## Filebeat results |
|
0 commit comments