John Mark Causing

System Administrator | Hosting Support Engineer

[email protected]

Bacolod City, Philippines

+639393497018

John Mark Causing

System Administrator | Hosting Support Engineer

[email protected]

Bacolod City, Philippines

+639393497018

ELK using Multipass (MacOS) + LXD/LXC – Part 3 – Filebeat (collect and transfer logs)

by | Jul 11, 2021 | elk, linux | 0 comments

In our previous tutorial, we have 3 LXC containers: master-1, data-1 and data-2. Login and ssh to each of those containers and install Filebeat then install it

curl -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.13.3-x86_64.rpm
rpm --install filebeat-7.13.3-x86_64.rpm
systemctl enable filebeat

Edit the yml file /etc/filebeat/filebeat.yml. These are the only lines I changed from the LXC master-1 (look under “setup.kibana” and “—- Outputs —-)

  host: "10.73.174.25:8080"

Under —- Outputs —-, just change the hostname, port, username and password

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.73.174.25:9200"]

  #api_key: "id:api_key"
  username: "elastic"
  password: "password88123818"

Enable system mode from Filebeat

[root@master-1 ~]# filebeat modules enable system
Enabled system

Push the config for all the enabled modules. Make sure ES and Kibana are up and running. Otherwise, this will fail.

[root@master-1 ~]# filebeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)

Loaded dashboards
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
Loaded machine learning job configurations
Loaded Ingest pipelines

Start the Filebeat service

[root@master-1 ~]# systemctl start filebeat
[root@master-1 ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
  Drop-In: /run/systemd/system/filebeat.service.d
           └─zzz-lxc-service.conf
   Active: active (running) since Sun 2021-07-11 08:43:00 UTC; 4s ago
     Docs: https://www.elastic.co/beats/filebeat

Check if Filebeat indexes in ES. Check if it’s properly ingesting data

curl localhost:9200/_cat/indices?v -u elastic

The screenshot above shows it is there with 1083 documents/log events. So the steps above were for the ‘master-1’ node/container.

Do the same for the other containers ‘data-1’ and ‘data-2’

Do you want to say hello? Let me know!

Facebook

Linkedin

[email protected]

+639393497018

Github

Powered by Kinsta Inc. (Managed WordPress Hosting) & Divi Theme  © 2022