In this article, we will have explained the necessary steps to install and configure Filebeat on CentOS 8. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
Install Filebeat on CentOS 8
Step 1. The first command will update the package lists to ensure you get the latest version and dependencies.
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm sudo dnf update
Step 2. Install ELK Stack.
So, you’re going to need to set Ubuntu up as either an ELK Stack. If you haven’t done so already, use our traditional installing ELK Stack guide to set up Ubuntu before you continue.
Step 3. Install Filebeat on the CentOS system.
Install Elastic Stack repo GPG signing key:
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Then, add Elastic Stack repo on CentOS 8:
cat > /etc/yum.repos.d/elasticstack.repo << EOL [elasticstack] name=Elastic repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOL
To install Filebeat, open a terminal window, and run the command:
sudo dnf update sudo dnf install filebeat
Next, start and enable Filebeat to run on system boot:
systemctl enable --now filebeat systemctl status filebeat
Step 4. Configure Filebeat.
The Filebeat output is defined on the Filebeat configuration file, /etc/filebeat/filebeat.yml
nano /etc/filebeat/filebeat.yml
Elasticsearch is the default output. All you need to do is update the IP address, Elasticsearch, which is set to localhost by default:
... #================================ Outputs ===================================== # Configure what output to use when sending the data collected by the beat. #-------------------------- Elasticsearch output ------------------------------ output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] hosts: ["192.168.77.21:9200"] ...
If you are instead pushing event data to Logstash, comment out the Elasticsearch output, and define Logstash output as shown below:
#================================ Outputs ===================================== # Configure what output to use when sending the data collected by the beat. #-------------------------- Elasticsearch output ------------------------------ #output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" #username: "elastic" #password: "meilana" #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts #hosts: ["localhost:5044"] hosts: ["192.168.77.21:5044"]
Next, add the system module, which will examine the local system logs:
sudo filebeat modules enable system
After that, run the Filebeat setup:
sudo filebeat setup
The system will do some work, scanning your system and connecting to your Kibana dashboard.
Congratulation, you have learned how to install and configure Filebeat on CentOS 8. If you have any questions, please leave a comment below.