WARNING: Version 1.0.1 of Filebeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Installing Filebeat Configuring Filebeat to Use Logstash »
Elastic Docs Filebeat Reference [1.0.1] Getting Started

Configuring Filebeat

edit

Configuring Filebeat

edit

To configure Filebeat, you edit the filebeat.yml file. Here is a sample of filebeat section of the filebeat.yml file:

filebeat:
  # List of prospectors to fetch data.
  prospectors:
    # Each - is a prospector. Below are the prospector specific configurations
    -
      # Paths that should be crawled and fetched. Glob based paths.
      # For each file found under this path, a harvester is started.
      paths:
        - "/var/log/*.log"
      # - c:\programdata\elasticsearch\logs\*

      # Type of the files. Based on this the way the file is read is decided.
      # The different types cannot be mixed in one prospector
      #
      # Possible options are:
      # * log: Reads every line of the log file (default)
      # * stdin: Reads the standard in
      input_type: log

Filebeat uses predefined default values for most configuration options. For the most basic Filebeat configuration, you can define a single prospector with a single path. For example:

filebeat:
  prospectors:
    -
      paths:
        - "/var/log/*.log"

The prospector in this example harvests all files in the path /var/log/*.log, which means that Filebeat will harvest all files in the directory /var/log/ that end with .log. All patterns supported by Golang Glob are also supported here.

To fetch all files from a predefined level of subdirectories, the following pattern can be used: /var/log/*/*.log. This fetches all .log files from the subfolders of /var/log. It does not fetch log files from the /var/log folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.

A config file can contain multiple prospectors and multiple paths per prospector as shown in the following example.

Make sure a file is not defined more than once across all prospectors because this can lead to unexpected behaviour.

filebeat:
  prospectors:
    -
      paths:
        - /var/log/system.log
        - /var/log/wifi.log
    -
      paths:
        - "/var/log/apache/*"

The config file in the example starts two prospectors. The first prospector has two harvesters, one harvesting the system.log file, and the other harvesting wifi.log. The second prospector starts a harvester for each file in the apache directory.

See Configuration Options for more details about each configuration option.

« Installing Filebeat Configuring Filebeat to Use Logstash »