Two filebeat.yml
1,385 views
Skip to first unread message
Felipe Andres Concha Sepúlveda
Jul 13, 2018, 9:36:20 AM7/13/18
to Wazuh mailing list
Hello all,
a question:
can I create two files filebeat.yml on the same machine (both are here: /etc/filebeat/) and each one sent the same information but to different logstash?
(not as loadbalancer)
a question:
can I create two files filebeat.yml on the same machine (both are here: /etc/filebeat/) and each one sent the same information but to different logstash?
(not as loadbalancer)
jesus.g...@wazuh.com
Jul 13, 2018, 11:10:22 AM7/13/18
to Wazuh mailing list
Hi Felipe,
You are right, you can create two filebeat.yml files to send same data to different Logstash. It's not as simple as create thes two files.
I'm going to explain a bit the main idea behind this.
Brief summary:
- You need two Filebeat instances
- Each instance has its own /etc/filebeat directory. E.g: /etc/filebeat and /etc/filebeat02
- Each Filebeat instance has its own registry file, so you need to modify the option filebeat.registry_file: ${path.data}/registry from each filebeat.yml file.
- Finally, you must create a service for each Filebeat instance.
How to configure 1 x Filebeat for sending same data to 2 x Logstash:
- Install Filebeat as usual (following https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/wazuh_server_rpm.html#installing-filebeat)
- Now you have your first Filebeat properly configured and sending data to one of our two Logstash
- Stop the installed Filebeat
- systemctl stop filebeat
- Copy the directory /etc/filebeat to /etc/filebeat02
- Modify the IP from output.hosts in /etc/filebeat02/filebeat.yml
- Modify the registry file in /etc/filebeat02/filebeat.yml
- Replace #filebeat.registry_file: ${path.data}/registry by filebeat.registry_file: ${path.data}/registry02
- Copy the service file from the first Filebeat instance usually located ,at least in CentOS 7, at /etc/init.d/filebeat to /etc/init.d/filebeat02
- Replace args="-c /etc/filebeat/filebeat.yml by args="-c /etc/filebeat02/filebeat.yml
- Last step is to restart both services:
- systemctl restart filebeat
- systemctl restart filebeat02
Let me know once you are done.
Best regards,
Jesús
jesus.g...@wazuh.com
Jul 13, 2018, 11:47:12 AM7/13/18
to Wazuh mailing list
Hello again Felipe,
In addition to my last response I want to clarify the step of modifying the service file.
The next lines from the service file:
pidfile=${PIDFILE-/var/run/filebeat.pid}
...
args="-c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat"Must be modified as follow:
pidfile=${PIDFILE-/var/run/filebeat02.pid}
...
args="-c /etc/filebeat02/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat02 -path.data /var/lib/filebeat -path.logs /var/log/filebeat02"Also you must enable the service as follow:
systemctl enable filebeat02
systemctl daemon-reload
systemctl restart filebeat
systemctl restart filebeat02Regards,
Jesús
Felipe Andres Concha Sepúlveda
Jul 16, 2018, 3:48:05 AM7/16/18
to jesus.g...@wazuh.com, Wazuh mailing list
Jesus, thank you very much for the answer, very clear and specific, I only have one question:
At the next point you talk about modifying the file file filebeat.yml that is found in : /etc/filebeat02/filebeat.yml
- Modify the registry file in /etc/filebeat02/filebeat.yml
- Replace #filebeat.registry_file: ${path.data}/registry by filebeat.registry_file: ${path.data}/registry02
In my file I only have this, I do not have those lines that you tell me I must modify, I guess I must add them in the two instances, the old one located /etc/filebeat/filebeat.yml and the new one /etc/filebeat02/filebeat.yml
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/449256e8-e83c-4065-ab3e-4a5548a428c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
jesus.g...@wazuh.com
Jul 16, 2018, 4:00:53 AM7/16/18
to Wazuh mailing list
Hi Felipe,
You are right, by default that option is not present. Take a look at https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
to see all options. Any case you only must add those lines. Also note you should review my last response where I update about the service files.
Regards,
Jesús
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Felipe Andres Concha Sepúlveda
Jul 16, 2018, 4:03:43 AM7/16/18
to jesus.g...@wazuh.com, Wazuh mailing list
Thank you Jesus,
I'm going to do the test and I'll tell you how it's going
Regards
Felipe
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eaae68f4-8d9e-4a8a-979a-3a7c65ae2057%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages