Filebeat Integration
Ship logs from Filebeat to Qorrelate
Overview
Filebeat is a lightweight log shipper from Elastic. You can configure it to send logs to Qorrelate using the HTTP output.
Filebeat Configuration
# filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
- /var/log/app/*.log
- type: container
paths:
- '/var/lib/docker/containers/*/*.log'
processors:
- add_docker_metadata: ~
output.http:
enabled: true
hosts: ["https://api.qorrelate.io/v1/logs"]
method: "POST"
headers:
X-API-Key: "YOUR_API_KEY"
Content-Type: "application/json"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~Docker Example
docker run -d \
--name filebeat \
-v /var/log:/var/log:ro \
-v /var/lib/docker/containers:/var/lib/docker/containers:ro \
-v ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro \
docker.elastic.co/beats/filebeat:8.11.0Kubernetes DaemonSet
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
spec:
selector:
matchLabels:
name: filebeat
template:
metadata:
labels:
name: filebeat
spec:
serviceAccountName: filebeat
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:8.11.0
args: ["-c", "/etc/filebeat.yml", "-e"]
env:
- name: QORRELATE_API_KEY
valueFrom:
secretKeyRef:
name: qorrelate-credentials
key: api-key
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: varlog
mountPath: /var/log
readOnly: true
volumes:
- name: config
configMap:
name: filebeat-config
- name: varlog
hostPath:
path: /var/logVerify Setup
# Test Filebeat configuration
filebeat test config -e
# Test output connection
filebeat test output -e