2024-01-12

[so3500]

Filebeat

• Overview
• Set up and run > command reference

[so3500]

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them eigher to Elasticsearch or Logstash for indexing.

1. when you start filebeat, it starts one or more inputs that look in the locations you've specified for log data
2. For each log that filebeat locates, filebeats starts a harvester.
3. each harvester reads a single log for new content and sends the new log data to libbeat, which aggregates the events and sends the aggregated data to the output that you've configured for filebeat.

https://www.elastic.co/guide/en/beats/filebeat/current/command-line-options.html

• run : runs filebeats. this command is used by default if you start filebeat without specifying a command
• setup : sets up the initial environment, inc
• test : tests the configuration
• version : show information about the current version

run command

• filebeat run [FLAGS]
• filebeat [FLAGS]

filebeat -e : Logs to stderr and disables syslog/file output. filebeat -c : Specifies the configuration file to use for Filebeat. The file you specify here is relative to path.config. If the -c flag is not specified, the default config file, filebeat.yml is used.

filebeat directory > sh filebeat version