From 3aa3fb04104b77ca34ce882e7fae39e93ac55a19 Mon Sep 17 00:00:00 2001 From: Abin Simon Date: Fri, 8 Apr 2022 15:03:46 +0530 Subject: [PATCH] Add basic info about _filebeat --- _filebeat/README.md | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 _filebeat/README.md diff --git a/_filebeat/README.md b/_filebeat/README.md new file mode 100644 index 0000000..8bebcc9 --- /dev/null +++ b/_filebeat/README.md @@ -0,0 +1,46 @@ +# Filebeat + +We use filebeat inorder to push logs from application to elasticsearch +server. + +In actual deployment, the idea is that we will have a sidecar +container that will be responsible for tailing the log files so that +we can read it using a filebeat instance running in a daemonset. + +## Development + +For local testing, you can run filebeat as as a binary and push the +logs generated into ES. You can use the following config to do so. + +``` yaml +filebeat.inputs: +- type: log + fields: + type: "auditlogs" + paths: + - audit.log # audit file path + json.keys_under_root: true + json.overwrite_keys: true + json.add_error_key: true + json.expand_keys: true + +output.elasticsearch: + hosts: ["http://127.0.0.1:9200"] + index: "index-%{[fields.type]:other}-%{+yyyy.MM.dd}" + ssl: + verification_mode: "none" + enabled: false + ca_trusted_fingerprint: "ignore-this" + +setup.template.name: "index" +setup.template.pattern: "index-*" +setup.template.overwrite: true +setup.template.append_fields: +- name: timestamp + type: date +``` + +This will push the audit logs generated in `audit.log` file into +elasticsearch index with the name `index-auditlogs-` which you +should be able to see in ES. Now if you were to use this as the audit +index key, you should be able to use this in the application.