-
Login into your sandboxes
-
Verify ElasticSearch is running:
sudo systemctl restart elasticsearch -
Download public key for the repository, not required as we have done it before:
curl https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - -
Add repository to the list, not required as we have done it before:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | \ sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list && \ sudo apt-get update -
Install Filebeat from the repository:
sudo apt-get install filebeat -
Configure the location of log files using
nanoor your favorite terminal editor:sudo nano /etc/filebeat/filebeat.yml -
Important settings:
- type: log # Change to true to enable this input configuration. enabled: true # Paths that should be crawled and fetched. Glob based paths. paths: - /var/log/*.log output.elasticsearch: hosts: ["localhost:9200"] -
Start Filebeat service and check the status:
sudo systemctl restart filebeat sudo systemctl status filebeat -
Query ElasticSearch using
curlto confirm new index has been created e.g.:filebeat-7.14.0-2021.08.31-000001curl localhost:9200/_cat/indices -
Query the data inside the newly created index, what is the end-point do you use to query a specific index?
-
Review more options for elastic search output