Logstach_filebeat

1/Config logstash
=> vi conf.d/filebeat-input.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}


=> vi conf.d/syslog-filter.conf

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

=> vi conf.d/output-elasticsearch.conf

output {
  elasticsearch { hosts => ["localhost:9200"]
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

2/ Config filebeat
=> filebeat.yml

cat > /etc/filebeat/filebeat.yml << EOF
filebeat:
    prospectors:
        -
            paths:
                - /var/log/*.log
            encoding: utf-8
            input_type: log
            fields:
                level: debug
            document_type: type
    registry_file: /var/lib/filebeat/registry
setup.kibana;
	hosts: "192.168.10.86:5601"
output:
    logstash:
        hosts: ["127.0.0.1:5044"]
        worker: 1
        bulk_max_size: 2048
logging:
    to_syslog: false
    to_files: true
    files:
        path: /var/log/filebeat
        name: filebeat
        rotateeverybytes: 1048576000 # = 1GB
        keepfiles: 7
    selectors: ["*"]
    level: info
EOF