Add basic info about _filebeat

_filebeat/README.md

@@ -0,0 +1,46 @@
+# Filebeat
+
+We use filebeat inorder to push logs from application to elasticsearch
+server.
+
+In actual deployment, the idea is that we will have a sidecar
+container that will be responsible for tailing the log files so that
+we can read it using a filebeat instance running in a daemonset.
+
+## Development
+
+For local testing, you can run filebeat as as a binary and push the
+logs generated into ES. You can use the following config to do so.
+
+``` yaml
+filebeat.inputs:
+- type: log
+  fields:
+    type: "auditlogs"
+  paths:
+    - audit.log # audit file path
+  json.keys_under_root: true
+  json.overwrite_keys: true
+  json.add_error_key: true
+  json.expand_keys: true
+
+output.elasticsearch:
+  hosts: ["http://127.0.0.1:9200"]
+  index: "index-%{[fields.type]:other}-%{+yyyy.MM.dd}"
+  ssl:
+    verification_mode: "none"
+    enabled: false
+    ca_trusted_fingerprint: "ignore-this"
+
+setup.template.name: "index"
+setup.template.pattern: "index-*"
+setup.template.overwrite: true
+setup.template.append_fields:
+- name: timestamp
+  type: date
+```
+
+This will push the audit logs generated in `audit.log` file into
+elasticsearch index with the name `index-auditlogs-<date>` which you
+should be able to see in ES. Now if you were to use this as the audit
+index key, you should be able to use this in the application.