October 21, 2021
10am-5pm CT

Filebeat apache module and Sidecar


I have filebeat sending logs to my Graylog server, and I would like to send the Apache logs a bit more “formatted”. GELF like. Looks like Filebeat apache module does this thing for me, but I would like to know how to configure this module with Sidecar. If I add a module line into my configuration file, it doesn’t work.

How do you send your apache logs divided (host, remote IP, status, etc…)?

hehe, I’ve the same issue a few days before… :wink:
the module only works in the ELK stack and not with graylog :wink:


I have also tried to use FileBeat + GELF and could not get it to work. To solve this issue I installed Nxlog on my Linux server /w Apache. I believe that there are configurations for Nxlog with the Sidecar.
I’m using GL4.0, ES 7.10.2, and MongoDb 4.4 on Ubuntu 20 with Nxlog-ce in my environment I’m also using TCP/TLS for my connections.

<Extension _gelf>
    Module      xm_gelf

###  Apache Log Files ###
<Input messages>
    Module       im_file
    FILE         "/var/log/apache2/*.log"
    SavePos       TRUE
    ReadFromLast  TRUE    

<Output out>
    Module      om_ssl
    Port        51411
    OutputType  GELF_TCP
    CertFile        /var/lib/nxlog/cert/graylog3-certificate.pem
    CertKeyFile     /var/lib/nxlog/cert/graylog3-key.pem
    CAFile          /var/lib/nxlog/cert/cert3.pem
    KeyPass         secret
    AllowUntrusted  true
    Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();

Path messages => out

My Input is configure like this

### Linux Secure System GELF TCP ###
decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 10
override_source: <empty>
port: 51411
recv_buffer_size: 1058576
tcp_keepalive: false
tls_cert_file: /etc/graylog/graylog3-certificate.pem
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/graylog3-key.pem
use_null_delimiter: true

It might not be filebeat but it works.
NOTE: Make sure nxlog has permissions to access apache logs.
Hope that helps

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.